Skip to main content

Spring Cloud Config CVE-2026-41004

| EUVDEUVD-2026-28250 MEDIUM
Insertion of Sensitive Information into Log File (CWE-532)
2026-05-07 vmware GHSA-j6hh-h3cf-c2hf
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Red Hat
4.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
May 07, 2026 - 06:16 EUVD
Analysis Generated
May 07, 2026 - 04:47 vuln.today
CVE Published
May 07, 2026 - 03:51 nvd
MEDIUM 4.4

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 7 maven packages depend on org.springframework.cloud:spring-cloud-config-server (6 direct, 1 indirect)

Ecosystem-wide dependent count for version 3.1.0.

DescriptionCVE.org

When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

AnalysisAI

Spring Cloud Config Server exposes sensitive information in plaintext logs when trace logging is enabled, allowing high-privilege local users to access configuration data including credentials and API keys. The vulnerability affects versions 3.1.0-3.1.13, 4.1.0-4.1.9, 4.2.0-4.2.6, 4.3.0-4.3.2, and 5.0.0-5.0.2. No public exploit identified at time of analysis; vendor-released patches are available for all affected version lines.

Technical ContextAI

Spring Cloud Config Server is a centralized configuration management system for distributed Java applications that stores and serves application properties, database credentials, API keys, and other sensitive configuration data to client applications. The vulnerability resides in the trace logging mechanism (typically controlled by log level settings in Spring Boot/Spring Framework logging configuration). When trace-level logging is enabled, the configuration server logs the full contents of configuration data being served, including plaintext secrets that should be redacted or excluded from logs. This violates the logging best practice of never writing authentication material or API credentials to logs. The root cause is insufficient redaction/filtering of sensitive fields before writing to logs-a classic information disclosure flaw (CWE-532: Insertion of Sensitive Information into Log File). The affected CPE indicates all versions of Spring Cloud Config across the listed minor versions are vulnerable until the specified patch versions.

RemediationAI

Vendor-released patches are available for all affected version lines. Spring Cloud Config 3.1.x users should upgrade to 3.1.14 or greater; 4.1.x users should upgrade to 4.1.10 or greater; 4.2.x users should upgrade to 4.2.7 or greater; 4.3.x users should upgrade to 4.3.3 or greater; and 5.0.x users should upgrade to 5.0.3 or greater. Note that 3.1.x, 4.1.x, and 4.2.x patches are available only with Enterprise Support from VMware. For environments unable to patch immediately, disable trace-level logging on Spring Cloud Config Server instances by setting the application log level to DEBUG or INFO in application.yml or application.properties, and avoid enabling spring.cloud.config.server.debug=true or trace-level loggers for spring.cloud.config packages. Additionally, restrict file system access to application logs to authenticated administrators only, and route logs to secure log aggregation systems with access controls and encryption. If centralized logging is used, ensure that log ingestion and storage have proper access restrictions to limit exposure of secrets that may already be logged.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Vendor StatusVendor

Share

CVE-2026-41004 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy