When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.
{
"cna_assigner": "vmware",
"unresolved_ranges": [
{
"source": "AFFECTED_FIELD",
"extracted_events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.14"
},
{
"introduced": "4.1.0"
},
{
"fixed": "4.1.10"
},
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.7"
},
{
"introduced": "4.3.0"
},
{
"fixed": "4.3.3"
},
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.3"
}
]
},
{
"source": "DESCRIPTION",
"extracted_events": [
{
"introduced": "3.1.0"
},
{
"fixed": "3.1.13"
},
{
"introduced": "4.1.0"
},
{
"fixed": "4.1.9"
},
{
"introduced": "4.2.0"
},
{
"fixed": "4.2.6"
},
{
"introduced": "4.3.0"
},
{
"fixed": "4.3.2"
},
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.2"
}
]
}
],
"cwe_ids": [
"CWE-639"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40981.json"
}