CVE-2026-40981
Received Received - Intake
BaseFortify

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: VMware

Description
When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-05-07
AI Q&A
2026-05-07
EPSS Evaluated
N/A
NVD
CVE-2026-40981
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
vmware spring_cloud_config From 3.1.0 (inc) to 3.1.13 (inc)
vmware spring_cloud_config From 4.1.0 (inc) to 4.1.9 (inc)
vmware spring_cloud_config From 4.2.0 (inc) to 4.2.6 (inc)
vmware spring_cloud_config From 4.3.0 (inc) to 4.3.2 (inc)
vmware spring_cloud_config From 5.0.0 (inc) to 5.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-40981 is a security vulnerability in Spring Cloud Config when using Google Secrets Manager as a backend. It allows a client to craft a request to the config server that can potentially expose secrets from Google Cloud Platform projects that the server has access to but were not intended to be shared with that client.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized exposure of sensitive information stored as secrets in Google Cloud Platform projects. An attacker or unauthorized client could access secrets from unintended projects, potentially compromising confidential data and security.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the vulnerability in Spring Cloud Config when using Google Secrets Manager as a backend, you should upgrade to the fixed versions:

  • 3.1.14 (Enterprise Support Only)
  • 4.1.10 (Enterprise Support Only)
  • 4.2.7 (Enterprise Support Only)
  • 4.3.3 (OSS)
  • 5.0.3 (OSS)

If upgrading is not possible immediately, you can set the property `spring.cloud.config.server.gcp-secret-manager.token-mandatory=true` to enforce token-based verification, requiring clients to provide a valid token with access to the requested project's secrets.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows unauthorized clients to potentially access secrets from unintended Google Cloud Platform projects via the Spring Cloud Config server when using Google Secrets Manager as a backend. Such unauthorized exposure of sensitive information could lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to sensitive data.

Mitigating the vulnerability by upgrading to fixed versions or enforcing token-based verification helps prevent unauthorized access, thereby supporting compliance efforts with these regulations.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart