CVE-2026-40982 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: May 7, 2026
Spring Cloud Config - Path Traversal
Published: May 7, 2026Updated: May 7, 2026Remote Exploitable
Overview
Spring Cloud Config 3.1.0 to 3.1.13, 4.1.0 to 4.1.9, 4.2.0 to 4.2.6, 4.3.0 to 4.3.2, and 5.0.0 to 5.0.2 contain a path traversal caused by specially crafted URL requests in spring-cloud-config-server, letting attackers access arbitrary files remotely, exploit requires no special privileges.
Severity & Score
Severity: Critical
CVSS Score: 9.1
Impact
Attackers can access arbitrary files on the server, potentially exposing sensitive information.
Mitigation
Upgrade to 3.1.14, 4.1.10, 4.2.7, 4.3.3, or 5.0.3 or greater.
Related Resources
Details
- CVE ID
- CVE-2026-40982
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- path_traversal
- Status
- new
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N