CVE-2026-41002

CVE-2026-41002 PUBLISHED

Assigner: vmware
Reserved: 16.04.2026 Published: 07.05.2026 Updated: 07.05.2026

The base directory (spring.cloud.config.server.git.basedir) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
CVSS Score: 7.4

Attack Vector	Local	Scope	Changed
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Cloud Config
Versions	Default: unaffected affected from 3.1.0 to 3.1.14 (excl.) affected from 4.1.0 to 4.1.10 (excl.) affected from 4.2.0 to 4.2.7 (excl.) affected from 4.3.0 to 4.3.3 (excl.) affected from 5.0.0 to 5.0.3 (excl.)

Vendor

Spring

Product

Spring Cloud Config

Versions

Default: unaffected

affected from 3.1.0 to 3.1.14 (excl.)
affected from 4.1.0 to 4.1.10 (excl.)
affected from 4.2.0 to 4.2.7 (excl.)
affected from 4.3.0 to 4.3.3 (excl.)
affected from 5.0.0 to 5.0.3 (excl.)

References

Problem Types

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition CWE

Impacts

A local privileged attacker who can influence the Git base directory can exploit the TOCTOU race condition to compromise confidentiality and integrity of data cloned by Spring Cloud Config Server.