Critical Directory Traversal and Secret Exposure Flaws in Spring Cloud Config Server
VMware Tanzu Spring Cloud Config Server is affected by multiple newly disclosed vulnerabilities, led by CVE-2026-40982, a critical CWE-22 directory traversal flaw that lets unauthenticated attackers use crafted URLs to read arbitrary text and binary files from the host running spring-cloud-config-server. Public reporting says the issue affects release lines 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x, with the most severe impact tied to unauthorized file access from network-reachable servers.
Additional flaws include CVE-2026-40981, which can expose Google Secrets Manager data from unintended GCP projects, CVE-2026-41002, a race condition involving the Git repository clone base directory, and CVE-2026-41004, which can leak sensitive information into plaintext logs when trace logging is enabled. Spring has released fixes including 4.3.3 and 5.0.3 for open-source users, while enterprise support customers were directed to 3.1.14, 4.1.10, and 4.2.7; a temporary mitigation for the GCP secret exposure issue is to require token validation before serving project secrets.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Mitigation guidance published for GCP Secret Manager exposure flaw
For CVE-2026-40981, temporary mitigation guidance was published advising users to set spring.cloud.config.server.gcp-secret-manager.token-mandatory=true to require token validation before serving project secrets.
Spring releases fixes for four disclosed Spring Cloud Config flaws
Reporting on the disclosures identified four vulnerabilities—CVE-2026-40982, CVE-2026-40981, CVE-2026-41002, and CVE-2026-41004—and said patched versions were released, including 4.3.3 and 5.0.3 for open-source users and 3.1.14, 4.1.10, and 4.2.7 for enterprise support customers.
CVE record details CVE-2026-40982 and affected release lines
A CVE entry for CVE-2026-40982 documented the flaw as a CWE-22 directory traversal issue, noted it was received by security@vmware.com on May 7, 2026, and listed affected and fixed versions across several release branches.
dCERT issues advisory on multiple Spring Cloud Config vulnerabilities
dCERT published Advisory 2026-1379 covering multiple vulnerabilities affecting VMware Tanzu Spring Cloud Config.
Spring discloses CVE-2026-40982 in Spring Cloud Config Server
Spring published a security advisory for CVE-2026-40982, a directory traversal vulnerability in spring-cloud-config-server that can allow access to arbitrary files via crafted URLs.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Critical Spring Vulnerabilities Expose Arbitrary Files and GCP Secrets
cybersecuritynews.com
Open sourceCVE-2026-40982 - Spring Cloud Config Directory Traversal Vulnerability
cvefeed.io
Open sourcedCERT - Advisory 2026-1379 - VMware Tanzu Spring Cloud Config: Multiple Vulnerabilities
dcert.de
Open sourceCVE-2026-40982: Directory Traversal with spring-cloud-config-server
spring.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Spring Cloud Config and Spring AI Flaws Expose Systems to RCE and SSRF
The Canadian Centre for Cyber Security issued advisory **AV26-288** warning that multiple vulnerabilities disclosed by Spring affect **Spring Cloud Config** and **Spring AI**, including **server-side request forgery (SSRF)**, unintended file access, query injection, and a **SpEL injection** that can lead to **remote code execution (RCE)**. The notice says the issues were disclosed by Spring between March 23 and 26 and urged organizations to review the vendor advisories and assess exposure in affected deployments. Affected versions include **Spring Cloud Config** releases prior to **3.1.3**, **4.1.9**, **4.2.6**, **4.3.2**, and **5.0.2**, along with **Spring AI** versions prior to **1.0.5** and **1.1.4**. The Cyber Centre advised administrators and users to apply the relevant updates to reduce the risk of exploitation against exposed services and vulnerable application environments.
May 25, 2026
Critical RCE Flaws Disclosed in Ivanti CSA and VMware vCenter
Critical vulnerabilities were disclosed in **Ivanti Cloud Services Application (CSA)** and **VMware vCenter Server** products, exposing enterprise management platforms to remote compromise. Ivanti said CSA `5.0.2` and earlier contain three flaws—`CVE-2024-11639`, `CVE-2024-11772`, and `CVE-2024-11773`—that can enable authentication bypass, remote code execution, and arbitrary SQL query execution through the administrator browser console, with the most severe issues rated **CVSS 10.0**. Ivanti released fixes in CSA `5.0.3` and urged customers to update immediately. VMware also disclosed two vulnerabilities affecting **vCenter Server** and **VMware Cloud Foundation**: `CVE-2024-38812`, a heap overflow that can allow arbitrary code execution, and `CVE-2024-38813`, which can enable privilege escalation to root. The flaws affect vCenter Server `7.0` and `8.0` as well as VMware Cloud Foundation `4.x` and `5.x`, and can be exploited remotely over the network using specially crafted packets. In both vendor notices, no active exploitation had been confirmed at the time of disclosure, but organizations and service providers were advised to apply vendor-fixed versions without delay because successful attacks could result in full administrative compromise.
Apr 24, 2026
Multiple Critical Vulnerability Disclosures Across Gogs, Jinjava, and Kubernetes Local Path Provisioner
Several **high-severity vulnerability disclosures** were published across widely used developer and infrastructure components, with impacts ranging from **remote code execution (RCE)** to **account takeover** and **arbitrary host file writes**. In *Gogs* (self-hosted Git service), three CVEs were reported: **CVE-2025-64111** (CVSS 9.3) enables RCE by bypassing checks in `UpdateRepoFile` to modify `.git/config` via the API (described as an insufficient fix for an earlier issue); **CVE-2025-64175** (CVSS 7.7) allows a **cross-account 2FA recovery-code bypass** in versions `0.13.3` and earlier if an attacker already has a victim’s username/password; and **CVE-2026-24135** (CVSS 7.2) is a wiki rename path traversal that can delete arbitrary files by manipulating `old_title`. Separately, *Jinjava* (HubSpot CMS template engine) disclosed **CVE-2026-25526** (CVSS 9.8), a sandbox escape chain that permits arbitrary Java code execution by abusing `ForTag` iteration behavior (Bean ELResolver restriction bypass) and `ObjectMapper`-based JSON deserialization to instantiate disallowed classes. A critical Kubernetes storage issue was also disclosed in *Kubernetes Local Path Provisioner*: **CVE-2025-62878** (CVSS 10.0) allows directory traversal via the `parameters.pathPattern` setting, enabling a user who can create storage resources to provision volumes in arbitrary host locations (e.g., `/etc`) and potentially overwrite sensitive files on cluster nodes. In parallel to these product flaws, separate research reported widespread **exposure of Git metadata** on the public internet—approximately **4.96 million** IPs with accessible `.git` directories and **250,000+** exposing `.git/config` files that may contain deployment credentials—highlighting a common, high-impact misconfiguration pattern that can enable source code reconstruction and secret theft. Active exploitation activity was reported for *Ivanti Endpoint Manager Mobile (EPMM)* involving **CVE-2026-1281** and **CVE-2026-1340**, where attackers were observed dropping `/mifs/403.jsp` and using a Base64-delivered Java class loader designed for delayed, in-memory activation rather than immediate interactive webshell use.
Mar 21, 2026