org.springframework.cloud:spring-cloud-config-server (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.springframework.cloud:spring-cloud-config-server, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (8)
CVE-2026-40982 — CVSS 9.1 (critical): Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious…
CVE-2026-22739 — CVSS 8.6 (high): Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to…
CVE-2026-40981 — CVSS 7.5 (high): When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server…
CVE-2026-41002 — CVSS 7.2 (high): The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is…
CVE-2019-3799 — CVSS 6.5 (medium): Spring Cloud Config, versions 2.1.x prior to 2.1.2, versions 2.0.x prior to 2.0.4, and versions 1.4.x prior to 1.4.6, and older unsupported…
CVE-2020-5405 — CVSS 6.5 (medium): Spring Cloud Config, versions 2.2.x prior to 2.2.2, versions 2.1.x prior to 2.1.7, and older unsupported versions allow applications to…
CVE-2026-41004 — CVSS 4.4 (medium): When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config…