CVE-2026-40981
Modified Modified - Updated After Analysis

Information Disclosure in Spring Cloud Config with Google Secrets Manager

Vulnerability report for CVE-2026-40981, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-07

Last updated on: 2026-06-30

Assigner: VMware

Description

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-07
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-05-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
vmware spring_cloud_config From 3.1.0 (inc) to 3.1.13 (inc)
vmware spring_cloud_config From 4.1.0 (inc) to 4.1.9 (inc)
vmware spring_cloud_config From 4.2.0 (inc) to 4.2.6 (inc)
vmware spring_cloud_config From 4.3.0 (inc) to 4.3.2 (inc)
vmware spring_cloud_config From 5.0.0 (inc) to 5.0.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1220 The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-40981 is a security vulnerability in Spring Cloud Config when using Google Secrets Manager as a backend. It allows a client to craft a request to the config server that can potentially expose secrets from Google Cloud Platform projects that the server has access to but were not intended to be shared with that client.

Impact Analysis

This vulnerability can lead to unauthorized exposure of sensitive information stored as secrets in Google Cloud Platform projects. An attacker or unauthorized client could access secrets from unintended projects, potentially compromising confidential data and security.

Mitigation Strategies

To mitigate the vulnerability in Spring Cloud Config when using Google Secrets Manager as a backend, you should upgrade to the fixed versions:

  • 3.1.14 (Enterprise Support Only)
  • 4.1.10 (Enterprise Support Only)
  • 4.2.7 (Enterprise Support Only)
  • 4.3.3 (OSS)
  • 5.0.3 (OSS)

If upgrading is not possible immediately, you can set the property `spring.cloud.config.server.gcp-secret-manager.token-mandatory=true` to enforce token-based verification, requiring clients to provide a valid token with access to the requested project's secrets.

Compliance Impact

This vulnerability allows unauthorized clients to potentially access secrets from unintended Google Cloud Platform projects via the Spring Cloud Config server when using Google Secrets Manager as a backend. Such unauthorized exposure of sensitive information could lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to sensitive data.

Mitigating the vulnerability by upgrading to fixed versions or enforcing token-based verification helps prevent unauthorized access, thereby supporting compliance efforts with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40981. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart