CVE-2026-22739 PUBLISHED

Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks

Assigner: vmware
Reserved: 09.01.2026 Published: 24.03.2026 Updated: 24.03.2026

Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CVSS Score: 8.6

https://spring.io/security/cve-2026-22739

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	Low

https://spring.io/security/cve-2026-22739

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Cloud
Versions	Default: unaffected affected from 3.1.x to 3.1.13 (excl.) affected from 4.1.x to 4.1.9 (excl.) affected from 4.2.x to 4.2.3 (excl.) affected from 4.3.x to 4.3.2 (excl.) affected from 5.0.x to 5.0.2 (excl.)

References

https://spring.io/security/cve-2026-22739