CVE-2026-41002
Received Received - Intake
BaseFortify

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: VMware

Description
The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-05-07
AI Q&A
2026-05-07
EPSS Evaluated
N/A
NVD
CVE-2026-41002
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
vmware spring_cloud_config From 3.1.0 (inc) to 3.1.13 (inc)
vmware spring_cloud_config From 4.1.0 (inc) to 4.1.9 (inc)
vmware spring_cloud_config From 4.2.0 (inc) to 4.2.6 (inc)
vmware spring_cloud_config From 4.3.0 (inc) to 4.3.2 (inc)
vmware spring_cloud_config From 5.0.0 (inc) to 5.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-41002 is a security vulnerability in the Spring Cloud Config Server involving a time-of-check-time-of-use (TOCTOU) attack.

The vulnerability affects the base directory configuration property `spring.cloud.config.server.git.basedir`, which the server uses to clone Git repositories.

Because of this TOCTOU issue, an attacker could exploit the timing between checking and using the directory to perform unauthorized actions.


How can this vulnerability impact me? :

This vulnerability has a high severity rating and can lead to serious security impacts.

An attacker exploiting the TOCTOU flaw could potentially manipulate the base directory used for cloning Git repositories, which may result in unauthorized access or modification of configuration data.

Such unauthorized changes could compromise the integrity and confidentiality of application configurations, potentially leading to further security breaches.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the risk of the TOCTOU vulnerability in Spring Cloud Config Server, you should upgrade your Spring Cloud Config Server to the fixed versions.

  • Upgrade to version 3.1.14 or greater if you are using 3.1.x (Enterprise Support Only).
  • Upgrade to version 4.1.10 or greater if you are using 4.1.x (Enterprise Support Only).
  • Upgrade to version 4.2.7 or greater if you are using 4.2.x (Enterprise Support Only).
  • Upgrade to version 4.3.3 or greater if you are using 4.3.x (OSS).
  • Upgrade to version 5.0.3 or greater if you are using 5.0.x (OSS).

Applying these updates will address the vulnerability related to the base directory used for cloning Git repositories.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart