CVE-2026-41004 Overview
CVE-2026-41004 is an information disclosure vulnerability in Spring Cloud Config Server. When trace logging is enabled, the server writes sensitive information in plain text to its log output. The flaw is classified under [CWE-532: Insertion of Sensitive Information into Log File].
The vulnerability affects multiple Spring Cloud Config branches, including the 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x release lines. Exploitation requires local access with high privileges to read log files containing the exposed data.
Critical Impact
Operators with access to Spring Cloud Config Server trace logs can read configuration secrets such as credentials, tokens, and other sensitive values intended to be protected.
Affected Products
- Spring Cloud Config 3.1.0 through 3.1.13
- Spring Cloud Config 4.1.0 through 4.1.9, 4.2.0 through 4.2.6, and 4.3.0 through 4.3.2
- Spring Cloud Config 5.0.0 through 5.0.2
Discovery Timeline
- 2026-05-07 - CVE-2026-41004 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-41004
Vulnerability Analysis
Spring Cloud Config Server centralizes externalized configuration for distributed applications. When trace-level logging is enabled, the server emits diagnostic output describing requests, responses, and internal state during configuration retrieval.
The affected versions write sensitive configuration values directly into these trace logs without redaction. Property values that are typically protected, such as database passwords, API keys, and OAuth client secrets, appear in plain text. Anyone with read access to the log files or downstream log aggregation systems can recover these secrets.
The issue is local in scope and requires high privileges, since an attacker must already have access to the host or log storage. The confidentiality impact is high because exposed configuration secrets can grant access to backing services well beyond the Config Server itself.
Root Cause
The root cause is improper handling of sensitive properties in the trace logging code path. Logging statements include serialized property maps without applying the masking logic used elsewhere in the framework, resulting in clear-text disclosure of values that should be redacted.
Attack Vector
An attacker with local access to a host running Spring Cloud Config Server, or with read access to its log output, can review trace logs after configuration requests have been processed. Secrets retrieved by client applications during normal operation are then available for collection. The attacker does not need to interact with the Config Server's HTTP interface to obtain the data.
The vulnerability cannot be triggered remotely without prior privileged access. Refer to the Spring Security Advisory CVE-2026-41004 for additional technical context.
Detection Methods for CVE-2026-41004
Indicators of Compromise
- Spring Cloud Config Server log files containing plain-text property values such as spring.datasource.password, client-secret, or API token fields.
- Log shipping pipelines (Fluentd, Logstash, syslog) carrying Config Server trace output to aggregation platforms where additional users have read access.
- Configuration profiles where logging.level.org.springframework.cloud.config or related loggers are set to TRACE or DEBUG.
Detection Strategies
- Audit running Config Server instances for the affected versions listed in the Spring advisory and confirm whether trace logging is currently enabled.
- Scan archived log files for property keys commonly associated with secrets, including password, secret, token, and apiKey, to determine whether disclosure has already occurred.
- Review log retention policies and access control lists on log storage to identify accounts that could have read exposed values.
Monitoring Recommendations
- Alert on changes to Spring logging configuration that elevate Config Server loggers to TRACE level in production environments.
- Monitor file system and SIEM access events for reads against Config Server log directories by non-administrative accounts.
- Track outbound use of credentials known to have appeared in trace logs to detect post-exposure abuse.
How to Mitigate CVE-2026-41004
Immediate Actions Required
- Disable trace-level logging on Spring Cloud Config Server until the upgrade is complete.
- Rotate any credentials, tokens, or keys that may have been written to trace logs on affected versions.
- Restrict file system and log aggregation permissions so only authorized administrators can read Config Server logs.
Patch Information
Upgrade to a fixed release per the Spring Security Advisory CVE-2026-41004: Spring Cloud Config 3.1.14 or greater (Enterprise Support Only), 4.1.10 or greater (Enterprise Support Only), 4.2.7 or greater (Enterprise Support Only), 4.3.3 or greater, and 5.0.3 or greater. After upgrading, review existing log archives and purge any historical entries that contain exposed secrets.
Workarounds
- Set Spring Cloud Config logger levels to INFO or higher to suppress trace output that contains property values.
- Route Config Server logs to a restricted storage location with strict access controls and short retention.
- Use external secret managers so that sensitive values are resolved at runtime by clients rather than being returned through Config Server responses.
# Configuration example: disable trace logging for Spring Cloud Config
# application.yml on the Config Server
logging:
level:
org.springframework.cloud.config: INFO
org.springframework.cloud.config.server: INFO
org.springframework.web: INFO
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
