CVE-2026-41004

CVE-2026-41004 PUBLISHED

Assigner: vmware
Reserved: 16.04.2026 Published: 07.05.2026 Updated: 07.05.2026

When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 4.4

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Cloud Config
Versions	Default: unaffected affected from 3.1.0 to 3.1.14 (excl.) affected from 4.1.0 to 4.1.10 (excl.) affected from 4.2.0 to 4.2.7 (excl.) affected from 4.3.0 to 4.3.3 (excl.) affected from 5.0.0 to 5.0.3 (excl.)

Vendor

Spring

Product

Spring Cloud Config

Versions

Default: unaffected

affected from 3.1.0 to 3.1.14 (excl.)
affected from 4.1.0 to 4.1.10 (excl.)
affected from 4.2.0 to 4.2.7 (excl.)
affected from 4.3.0 to 4.3.3 (excl.)
affected from 5.0.0 to 5.0.3 (excl.)

References

Problem Types

CWE-532: Insertion of Sensitive Information into Log File CWE

Impacts

A privileged local user with trace logging enabled can read sensitive information exposed in plain text in Spring Cloud Config Server log output, compromising confidentiality.