CVE-2026-41002
Undergoing Analysis Undergoing Analysis - In Progress
Time-of-Check-Time-of-Use in Spring Cloud Config Server

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: VMware

Description
The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41002
EUVD
EUVD-2026-28248
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
vmware spring_cloud_config From 3.1.0 (inc) to 3.1.13 (inc)
vmware spring_cloud_config From 4.1.0 (inc) to 4.1.9 (inc)
vmware spring_cloud_config From 4.2.0 (inc) to 4.2.6 (inc)
vmware spring_cloud_config From 4.3.0 (inc) to 4.3.2 (inc)
vmware spring_cloud_config From 5.0.0 (inc) to 5.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41002 is a security vulnerability in the Spring Cloud Config Server involving a time-of-check-time-of-use (TOCTOU) attack.

The vulnerability affects the base directory configuration property `spring.cloud.config.server.git.basedir`, which the server uses to clone Git repositories.

Because of this TOCTOU issue, an attacker could exploit the timing between checking and using the directory to perform unauthorized actions.

Impact Analysis

This vulnerability has a high severity rating and can lead to serious security impacts.

An attacker exploiting the TOCTOU flaw could potentially manipulate the base directory used for cloning Git repositories, which may result in unauthorized access or modification of configuration data.

Such unauthorized changes could compromise the integrity and confidentiality of application configurations, potentially leading to further security breaches.

Mitigation Strategies

To mitigate the risk of the TOCTOU vulnerability in Spring Cloud Config Server, you should upgrade your Spring Cloud Config Server to the fixed versions.

  • Upgrade to version 3.1.14 or greater if you are using 3.1.x (Enterprise Support Only).
  • Upgrade to version 4.1.10 or greater if you are using 4.1.x (Enterprise Support Only).
  • Upgrade to version 4.2.7 or greater if you are using 4.2.x (Enterprise Support Only).
  • Upgrade to version 4.3.3 or greater if you are using 4.3.x (OSS).
  • Upgrade to version 5.0.3 or greater if you are using 5.0.x (OSS).

Applying these updates will address the vulnerability related to the base directory used for cloning Git repositories.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41002. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart