PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40981 Spring CVE debrief

CVE-2026-40981 is a high-severity vulnerability in VMware Spring Cloud Config that could allow exposure of secrets from unintended GCP projects when using Google Secrets Manager as a backend. The vulnerability affects multiple versions of Spring Cloud Config, including 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x. To mitigate this vulnerability, users should upgrade to the latest version of Spring Cloud Config. The CVE was published on May 7, 2026, and last modified on June 30, 2026.

Vendor
Spring
Product
Spring Cloud Config
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-07
Original CVE updated
2026-06-30
Advisory published
2026-05-07
Advisory updated
2026-06-30

Who should care

Security teams and administrators responsible for VMware Spring Cloud Config deployments should be aware of this vulnerability and take immediate action to mitigate it. This vulnerability could potentially expose sensitive information, making it a high-priority issue to address.

Technical summary

The vulnerability exists in the Spring Cloud Config server when using Google Secrets Manager as a backend. A client can craft a request to the config server, potentially exposing secrets from unintended GCP projects. The affected versions of Spring Cloud Config are 3.1.x (from 3.1.0 to 3.1.13), 4.1.x (from 4.1.0 to 4.1.9), 4.2.x (from 4.2.0 to 4.2.6), 4.3.x (from 4.3.0 to 4.3.2), and 5.0.x (from 5.0.0 to 5.0.2).

Defensive priority

High priority due to potential exposure of sensitive information.

Recommended defensive actions

  • Upgrade to Spring Cloud Config version 3.1.14 or greater (Enterprise Support Only) for 3.1.x deployments.
  • Upgrade to Spring Cloud Config version 4.1.10 or greater (Enterprise Support Only) for 4.1.x deployments.
  • Upgrade to Spring Cloud Config version 4.2.7 or greater (Enterprise Support Only) for 4.2.x deployments.
  • Upgrade to Spring Cloud Config version 4.3.3 or greater for 4.3.x deployments.
  • Upgrade to Spring Cloud Config version 5.0.3 or greater for 5.0.x deployments.

Evidence notes

The CVE-2026-40981 record was published on May 7, 2026, and last modified on June 30, 2026. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The CVE is related to CWE-639 and CWE-1220.

Official resources

This article is AI-assisted and based on the supplied source corpus.