GHSA-6g23-24mc-hx6x

Source

https://github.com/advisories/GHSA-6g23-24mc-hx6x

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6g23-24mc-hx6x/GHSA-6g23-24mc-hx6x.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6g23-24mc-hx6x

Aliases

CVE-2026-40982

Published

2026-05-07T06:31:41Z

Modified

2026-05-11T16:35:47.458102Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Spring Cloud Config vulnerable to Path Traversal

Details

Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Database specific

{
    "github_reviewed": true,
    "severity": "CRITICAL",
    "nvd_published_at": "2026-05-07T04:16:24Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed_at": "2026-05-11T16:19:13Z"
}

References

Affected packages

Maven

org.springframework.cloud:spring-cloud-config-server

Package

Name: org.springframework.cloud:spring-cloud-config-server; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.cloud/spring-cloud-config-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Last affected

3.1.13

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6g23-24mc-hx6x/GHSA-6g23-24mc-hx6x.json"

org.springframework.cloud:spring-cloud-config-server

Package

Name: org.springframework.cloud:spring-cloud-config-server; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.cloud/spring-cloud-config-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.1.0

Last affected

4.1.9

Affected versions

4.*

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6

4.1.7

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6g23-24mc-hx6x/GHSA-6g23-24mc-hx6x.json"

org.springframework.cloud:spring-cloud-config-server

Package

Name: org.springframework.cloud:spring-cloud-config-server; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.cloud/spring-cloud-config-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.2.0

Last affected

4.2.6

Affected versions

4.*

4.2.0

4.2.1

4.2.2

4.2.3

4.2.4

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6g23-24mc-hx6x/GHSA-6g23-24mc-hx6x.json"

org.springframework.cloud:spring-cloud-config-server

Package

Name: org.springframework.cloud:spring-cloud-config-server; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.cloud/spring-cloud-config-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.3.0

Fixed

4.3.3

Affected versions

4.*

4.3.0

4.3.1

4.3.2

Database specific

last_known_affected_version_range

"<= 4.3.2"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6g23-24mc-hx6x/GHSA-6g23-24mc-hx6x.json"

org.springframework.cloud:spring-cloud-config-server

Package

Name: org.springframework.cloud:spring-cloud-config-server; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.cloud/spring-cloud-config-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.3

Affected versions

5.*

5.0.0

5.0.1

5.0.2

Database specific

last_known_affected_version_range

"<= 5.0.2"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-6g23-24mc-hx6x/GHSA-6g23-24mc-hx6x.json"