Summary

Parameter	Value
CVE ID	CVE-2026-40982
Alert Source	GitHub Advisory - Critical Vulnerability
CVE Publication Year	2026
Date Published	2026-05-07
Vendor	VMware
Product	Spring Cloud Config
CVSS Score	9.1 (critical)
EPSS Score	No data
CISA KEV	No
Ransomware	Not confirmed

Vulnerability Description

Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater.

Required Actions

Apply vendor patches or mitigations as soon as available.

Who Is Affected?

This vulnerability affects Spring Cloud Config by VMware. Check if your organization uses this software and requires updates.

Sources

Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.

Learn More

Why is CIS Benchmarks compliance so critical for your AWS cloud security?

Learn how to conduct an effective AWS security audit aligned with CIS Benchmarks. Identify gaps and improve regulatory compliance....

What is AWS cloud security and why is it critical to your business?

Learn the key principles of security in the AWS cloud. Learn how to protect your data and infrastructure in a cloud environment....

AWS vs Azure vs Google Cloud - A comparison of public cloud leaders

AWS, Azure or Google Cloud? Compare the most popular cloud platforms and choose the best solution for your business. Check out the key differences!...

CVE-2026-40982: Directory Traversal in VMware Spring Cloud Config

Summary

Vulnerability Description

Required Actions

Who Is Affected?

Sources

Learn More

Tags:

Share:

Talk to an expert

Grzegorz Gnych

Want to Reduce IT Risk and Costs?