Spring Cloud Config exposes GCP secrets

Spring Cloud Config is the service that hands applications their settings at startup — database URLs, API keys, feature flags, sometimes full-blown secrets. That makes it a quiet but very high-value box. This week, Spring disclosed a critical bug in that server, CVE-2026-40982, that lets an unauthenticated att(github.com)hrough the `spring-cloud-config-server` module. The reason people are reacting hard is simple: when the config server can read sensitive(spring.io)gets a lot easier to crack. (spring.io) ### What actually broke? The bug is a directory traversal flaw. In plain English, the server can be tricked into stepping outside the directory tree it was supposed to serve and returning files it was never meant to expose. Spring describes the issue as arbitrary text and binary file access through the config server module, and GitHub’s advisory scores it 9.1 critical with no privileges or user interaction required. (github.com) ### Why is a config server such a (spring.io)r the center of trust. Applications ask it for configuration before they do almost anything useful. In a lot of shops, that means it can reach Git repos, secret stores, local cache directories, and log files that include credentials or tokens. Even when the bug is “just file read,” the practical outcome can be much bigger if those files contain cloud identities, backend passwords, or internal topology. That’s an infere(github.com)tly why config infrastructure gets treated like management plane infrastructure. (github.com) ### Where does GCP come into this? There’s a second advisory, CVE-2026-40981, published the same day. That one is different, but related in impact. When Spring Cloud Config uses Google Secret Manager as a backend, a client can craft a request that may expose secrets from unintended GCP projects the config server already has access to. So the GCP angle is real — but it is not the same flaw as the traversal bug. One issue is arbitrary file exposure on the server. The other is cross-project secret exposure through Google Secret Manager integration. (spring.io) ### Which versions are affected? The published affected ranges are broad. Spring Cloud Config 3.1.0 through 3.1.13, 4.1.0 through 4.1.9, 4.2.0 through 4.2.6, 4.3.0 through 4.3.2, and 5.0.0 through 5.0.2 are listed as vulnerable to CVE-2026-40982. The fixed versions are 3.1.14+, 4.1.10+, 4.2.7+, 4.3.3+, and 5.0.3+. Older unsupported branches are a problem too, which is the ugly part for long-lived internal platforms. (github.com) ### Is this exposed to the interne(spring.io)s the catch. Spring has warned before that config servers should live on internal networks and be secured. Real environments are messier. Teams expose them for convenience, route them through shared ingress, or assume “internal” means safe enough. If one of these servers is reachable by an attacker, the advisory says exploitation does not require authentication. That sharply raises urgency. (spring.io)ne bug? Because it arrived as part of a cluster of Spring Cloud Config issues on May 6. Alongside the traversal flaw and the Google Secret Manager issue, Spring also published a TOCTOU advisory and another one about sensitive information in trace logs. That pattern suggests operators should look for exposure chains, not isolated CVEs — file access, secret access, and logging mistakes can compound fast. (spring.io) ### What should operat(spring.io) server may already have exposed more than intended. Check whether the config server is internet-reachable, review what backends and local paths it can access, rotate any credentials or service-account material that might have been readable, and inspect logs for suspicious requests. The big idea is containment — not just version bumping. (github.com) ### Bottom line? This is not “just an(spring.io)ten sits next to secrets, cloud access, and application bootstrap. And the GCP story is real — but it spans two separate Spring Cloud Config flaws disclosed on May 6 and May 7, 2026, not one magical bug that does everything. (spring.io)