What is the CVSS score of CVE-2026-41004?

CVE-2026-41004 has a CVSS 3.1 base score of 4.4 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-41004?

Yes, a patch is available for CVE-2026-41004. Update the affected software to the latest version immediately.

Spring Cloud Config CVE-2026-41004

EUVD-2026-28250 MEDIUM

Insertion of Sensitive Information into Log File (CWE-532)

2026-05-07 vmware

GHSA-j6hh-h3cf-c2hf

Java Information Disclosure

4.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch available

May 07, 2026 - 06:16 EUVD

Analysis Generated

May 07, 2026 - 04:47 vuln.today

CVE Published

May 07, 2026 - 03:51 nvd

MEDIUM 4.4

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

7 maven packages depend on org.springframework.cloud:spring-cloud-config-server (6 direct, 1 indirect)

Ecosystem-wide dependent count for version 3.1.0.

DescriptionNVD

When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

AnalysisAI

Spring Cloud Config Server exposes sensitive information in plaintext logs when trace logging is enabled, allowing high-privilege local users to access configuration data including credentials and API keys. The vulnerability affects versions 3.1.0-3.1.13, 4.1.0-4.1.9, 4.2.0-4.2.6, 4.3.0-4.3.2, and 5.0.0-5.0.2. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41004 vulnerability details – vuln.today

Back

Spring Cloud Config CVE-2026-41004

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code