CVE-2026-40981: Spring Cloud Config Exposes GCP Secrets

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-639
CVE-2026-40981: Spring Cloud Config Exposes GCP Secrets

A critical vulnerability, CVE-2026-40981, has been identified in Spring Cloud Config when used with Google Secrets Manager. According to the National Vulnerability Database, a malicious client can craft specific requests to the config server, potentially exposing sensitive secrets from unintended Google Cloud Platform (GCP) projects. This isn’t just a misconfiguration risk; it’s a bypass that directly undermines the segregation of secrets.

The National Vulnerability Database assigns this a CVSS score of 7.5 (High), with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This means an unauthenticated attacker can remotely exploit this with low complexity, leading to a complete compromise of confidentiality. The flaw, categorized under CWE-639 (Authorization Bypass Through User-Controlled Key), is a glaring security hole for organizations relying on Spring Cloud Config for centralized secret management.

Immediate patching is non-negotiable. Affected versions span Spring Cloud Config 3.1.x (up to 3.1.13), 4.1.x (up to 4.1.9), 4.2.x (up to 4.2.6), 4.3.x (up to 4.3.2), and 5.0.x (up to 5.0.2). Organizations must upgrade to 3.1.14+, 4.1.10+, 4.2.7+, 4.3.3+, or 5.0.3+ respectively. For enterprise support customers, ensure you’re on the latest patched versions.

What This Means For You

  • If your organization uses Spring Cloud Config with Google Secrets Manager, assume compromise until proven otherwise. Immediately identify all instances running affected versions. Prioritize patching to the recommended secure versions. Post-patch, audit GCP project access logs for any unauthorized secret retrieval attempts, especially from projects that should not be accessible to the config server.

Related ATT&CK Techniques

T1539 Steal Application Access Token Credential Access T1078.004 Cloud Accounts Initial Access T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Spring Cloud Config GCP Secrets Exposure - Free Tier

Sigma YAML — free preview 
title: Spring Cloud Config GCP Secrets Exposure - Free Tier
id: scw-2026-05-07-ai-1
status: experimental
level: high
description: |
  Detects potential exploitation of CVE-2026-40981 by looking for GET requests to Spring Cloud Config endpoints that include '/config/v1/projects/' and '/secrets/', indicating an attempt to access GCP secrets from unintended projects.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-40981/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/config/v1/projects/'
      cs-method:
          - 'GET'
      sc-status:
          - 200
  selection_exploit_path:
      cs-uri|contains:
          - '/secrets/'
  condition: selection AND selection_exploit_path
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40981 Information Disclosure Spring Cloud Config 3.1.0 through 3.1.13
CVE-2026-40981 Information Disclosure Spring Cloud Config 4.1.0 through 4.1.9
CVE-2026-40981 Information Disclosure Spring Cloud Config 4.2.0 through 4.2.6
CVE-2026-40981 Information Disclosure Spring Cloud Config 4.3.0 through 4.3.2
CVE-2026-40981 Information Disclosure Spring Cloud Config 5.0.0 through 5.0.2

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 07:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8063 — Null Pointer Dereference

CVE-2026-8063 — An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the...

vulnerabilityCVEmedium-severitynull-pointer-dereferencecwe-476
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 1 Sigma

WP-Optimize Plugin Flaw Allows Arbitrary File Deletion, RCE via wp-config.php

CVE-2026-7252 — The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary...

vulnerabilityCVEhigh-severityremote-code-executioncwe-22
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 5 IOCs /⚙ 3 Sigma

CVE-2026-6692: WordPress Slider Revolution RCE Vulnerability

CVE-2026-6692 — The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function....

vulnerabilityCVEhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma