CVE-2026-40981

CVE-2026-40981 PUBLISHED

Assigner: vmware
Reserved: 16.04.2026 Published: 07.05.2026 Updated: 07.05.2026

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Cloud Config
Versions	Default: unaffected affected from 3.1.0 to 3.1.14 (excl.) affected from 4.1.0 to 4.1.10 (excl.) affected from 4.2.0 to 4.2.7 (excl.) affected from 4.3.0 to 4.3.3 (excl.) affected from 5.0.0 to 5.0.3 (excl.)

Vendor

Spring

Product

Spring Cloud Config

Versions

Default: unaffected

affected from 3.1.0 to 3.1.14 (excl.)
affected from 4.1.0 to 4.1.10 (excl.)
affected from 4.2.0 to 4.2.7 (excl.)
affected from 4.3.0 to 4.3.3 (excl.)
affected from 5.0.0 to 5.0.3 (excl.)

References

Problem Types

CWE-639: Authorization Bypass Through User-Controlled Key CWE

Impacts

An unauthenticated remote attacker can craft a request to the Config Server to expose sensitive secrets from unintended GCP projects, compromising the confidentiality of data managed by the server.