7.5
CVE-2026-40981
- EPSS 0.44%
- Veröffentlicht 07.05.2026 04:16:24
- Zuletzt bearbeitet 30.06.2026 03:19:22
- Quelle security@vmware.com
- CVE-Watchlists
- Unerledigt
When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VMware ≫ Spring Cloud Config Version >= 3.1.0 < 3.1.14
VMware ≫ Spring Cloud Config Version >= 4.1.0 < 4.1.10
VMware ≫ Spring Cloud Config Version >= 4.2.0 < 4.2.7
VMware ≫ Spring Cloud Config Version >= 4.3.0 < 4.3.3
VMware ≫ Spring Cloud Config Version >= 5.0.0 < 5.0.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.44% | 0.348 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@vmware.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
CWE-1220 Insufficient Granularity of Access Control
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://spring.io/security/cve-2026-40981
https://access.redhat.com/security/cve/CVE-2026-40981
https://bugzilla.redhat.com/show_bug.cgi?id=2467621
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40981.json