Serial number: AV26-431
Date: May 7, 2026
On May 6, 2026, Spring published security advisories to address vulnerabilities in multiple products. Included was a critical update for the following:
- Spring Cloud Config – multiple versions
The Cyber Centre encourages users and administrators to review the provided web link and apply the necessary updates.
- CVE-2026-40981: Spring Cloud Config Clients Can Access Secrets From Any Project The Config Server Has Access To On Google Secrets Manager Server Has Access To On Google Secrets Manager
- CVE-2026-40982: Directory Traversal with spring-cloud-config-server
- CVE-2026-41002: Spring Cloud Config Server Susceptible To TOCTOU Attack
- Spring Security Advisories