Skip to main content

Java CVE-2026-22739

| EUVD-2026-14664 HIGH
Path Traversal (CWE-22)
2026-03-24 vmware GHSA-3qwq-q9vm-5j42
Java Path Traversal
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 00:45 euvd
EUVD-2026-14664
Analysis Generated
Mar 24, 2026 - 00:45 vuln.today
CVE Published
Mar 24, 2026 - 00:16 nvd
HIGH 8.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 maven packages depend on org.springframework.cloud:spring-cloud-config-server (7 direct, 1 indirect)

Ecosystem-wide dependent count for version 4.3.0.

DescriptionCVE.org

Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.

AnalysisAI

Spring Cloud Config Server contains a path traversal vulnerability when using the native file system backend, allowing unauthenticated remote attackers to access arbitrary files outside configured search directories by manipulating the profile parameter in requests. This affects Spring Cloud versions 3.1.X before 3.1.13, 4.1.X before 4.1.9, 4.2.X before 4.2.3, 4.3.X before 4.3.2, and 5.0.X before 5.0.2. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send malicious profile parameter to Spring Cloud Config Server
Exploit
Bypass directory traversal restrictions via path manipulation
Execution
Access files outside configured search directories
Impact
Read sensitive configuration or application files
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Spring Cloud Config Server with native file system backend enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 8.6 (High) reflects a remotely exploitable vulnerability with low attack complexity requiring no privileges or user interaction (AV:N/AC:L/PR:N/UI:N), resulting in high confidentiality impact (C:H) and low integrity and availability impact (I:L/A:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker identifies an internet-accessible Spring Cloud Config Server using the native file system backend through reconnaissance of common Spring Boot management endpoints or error messages. The attacker crafts HTTP requests to the Config Server manipulating the profile parameter with path traversal sequences such as '../../../etc/passwd' or '../../../opt/app/secrets/database.properties' to read arbitrary files outside the intended configuration directories. …
Remediation Upgrade Spring Cloud to the patched versions immediately: version 3.1.13 or later for the 3.1.X branch, version 4.1.9 or later for 4.1.X, version 4.2.3 or later for 4.2.X, version 4.3.2 or later for 4.3.X, or version 5.0.2 or later for 5.0.X as documented in the VMware security advisory at https://spring.io/security/cve-2026-22739. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Spring Cloud Config Server instances and their versions; isolate exposed instances from untrusted networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-41699 CRITICAL
9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
CVE-2026-47835 HIGH
8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
CVE-2026-47825 HIGH
8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH
8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al

Share

CVE-2026-22739 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy