PatchSiren cyber security CVE debrief
CVE-2026-40981 Spring CVE debrief
CVE-2026-40981 is a high-severity vulnerability in VMware Spring Cloud Config that could allow exposure of secrets from unintended GCP projects when using Google Secrets Manager as a backend. The vulnerability affects multiple versions of Spring Cloud Config, including 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x. To mitigate this vulnerability, users should upgrade to the latest version of Spring Cloud Config. The CVE was published on May 7, 2026, and last modified on June 30, 2026.
- Vendor
- Spring
- Product
- Spring Cloud Config
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-07
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-05-07
- Advisory updated
- 2026-06-30
Who should care
Security teams and administrators responsible for VMware Spring Cloud Config deployments should be aware of this vulnerability and take immediate action to mitigate it. This vulnerability could potentially expose sensitive information, making it a high-priority issue to address.
Technical summary
The vulnerability exists in the Spring Cloud Config server when using Google Secrets Manager as a backend. A client can craft a request to the config server, potentially exposing secrets from unintended GCP projects. The affected versions of Spring Cloud Config are 3.1.x (from 3.1.0 to 3.1.13), 4.1.x (from 4.1.0 to 4.1.9), 4.2.x (from 4.2.0 to 4.2.6), 4.3.x (from 4.3.0 to 4.3.2), and 5.0.x (from 5.0.0 to 5.0.2).
Defensive priority
High priority due to potential exposure of sensitive information.
Recommended defensive actions
- Upgrade to Spring Cloud Config version 3.1.14 or greater (Enterprise Support Only) for 3.1.x deployments.
- Upgrade to Spring Cloud Config version 4.1.10 or greater (Enterprise Support Only) for 4.1.x deployments.
- Upgrade to Spring Cloud Config version 4.2.7 or greater (Enterprise Support Only) for 4.2.x deployments.
- Upgrade to Spring Cloud Config version 4.3.3 or greater for 4.3.x deployments.
- Upgrade to Spring Cloud Config version 5.0.3 or greater for 5.0.x deployments.
Evidence notes
The CVE-2026-40981 record was published on May 7, 2026, and last modified on June 30, 2026. The vulnerability has a CVSS score of 7.5 and is classified as HIGH severity. The CVE is related to CWE-639 and CWE-1220.
Official resources
-
CVE-2026-40981 CVE record
CVE.org
-
CVE-2026-40981 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.