Bug 2467621 (CVE-2026-40981) - CVE-2026-40981 Spring Cloud Config: Spring Cloud Config: Information disclosure of secrets from unintended GCP projects
Summary: CVE-2026-40981 Spring Cloud Config: Spring Cloud Config: Information disclosu...
Keywords:
Status: NEW
Alias: CVE-2026-40981
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2486567
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-07 05:01 UTC by OSIDB Bzimport
Modified: 2026-06-08 22:16 UTC (History)
21 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-07 05:01:51 UTC 
When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects.
Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.
Note You need to log in before you can comment on or make changes to this bug.