Bug 2467637 (CVE-2026-41004) - CVE-2026-41004 Spring Cloud Config Server: Spring Cloud Config: Spring Cloud Config Server: Information disclosure via trace logging
Summary: CVE-2026-41004 Spring Cloud Config Server: Spring Cloud Config: Spring Cloud ...
Keywords:
Status: NEW
Alias: CVE-2026-41004
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2486591
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-07 05:02 UTC by OSIDB Bzimport
Modified: 2026-06-08 23:07 UTC (History)
21 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-07 05:02:47 UTC 
When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs.
Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.
Note You need to log in before you can comment on or make changes to this bug.