Spring Cloud Config Vulnerability CVE-2026-40982 Allows Directory Traversal

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitypath-traversalcwe-22
Spring Cloud Config Vulnerability CVE-2026-40982 Allows Directory Traversal

A critical directory traversal vulnerability, tracked as CVE-2026-40982, has been identified in Spring Cloud Config. According to the National Vulnerability Database, this flaw, rated with a CVSS score of 9.1 (Critical), allows attackers to serve arbitrary text and binary files through the spring-cloud-config-server module. By crafting a specially designed URL, a malicious actor can exploit this to traverse directories and potentially access sensitive files outside the intended scope.

This vulnerability impacts multiple versions across several Spring Cloud Config branches. Specifically, Spring Cloud Config 3.1.0 through 3.1.13, 4.1.0 through 4.1.9, 4.2.0 through 4.2.6, 4.3.0 through 4.3.2, and 5.0.0 through 5.0.2 are all affected. The National Vulnerability Database recommends upgrading to 3.1.14 (Enterprise Support Only), 4.1.10 (Enterprise Support Only), 4.2.7 (Enterprise Support Only), 4.3.3, or 5.0.3, or later versions, depending on the deployed branch.

From an attacker’s perspective, this is a low-effort, high-impact vulnerability. No authentication or complex conditions are required for exploitation, making it highly attractive. For defenders, the implications are severe: unauthorized file access can lead to information disclosure, credential theft, or even arbitrary code execution if sensitive scripts or configurations are exposed and subsequently misused. This isn’t just about data exfiltration; it’s a potential beachhead for further attacks.

What This Means For You

  • If your organization uses Spring Cloud Config, you need to immediately identify all instances running affected versions. Prioritize patching to the recommended secure versions (3.1.14+, 4.1.10+, 4.2.7+, 4.3.3+, or 5.0.3+) to prevent critical directory traversal attacks via CVE-2026-40982. Audit your `spring-cloud-config-server` deployments for any unusual file access patterns in logs.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1083 File and Directory Discovery Discovery

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-40982 - Spring Cloud Config Directory Traversal

Sigma YAML — free preview 
title: CVE-2026-40982 - Spring Cloud Config Directory Traversal
id: scw-2026-05-07-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-40982 by looking for directory traversal patterns like '/../' or its URL-encoded equivalent '/..%252f' within the request URI. This vulnerability allows attackers to access arbitrary files on the server via the Spring Cloud Config server module.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-40982/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      uri|contains:
          - '/..%252f'
          - '/../'
      cs-uri|contains:
          - '/..%252f'
          - '/../'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40982 Path Traversal Spring Cloud Config spring-cloud-config-server module
CVE-2026-40982 Path Traversal Spring Cloud Config 3.1.x versions 3.1.0 through 3.1.13
CVE-2026-40982 Path Traversal Spring Cloud Config 4.1.x versions 4.1.0 through 4.1.9
CVE-2026-40982 Path Traversal Spring Cloud Config 4.2.x versions 4.2.0 through 4.2.6
CVE-2026-40982 Path Traversal Spring Cloud Config 4.3.x versions 4.3.0 through 4.3.2

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 07:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8063 — Null Pointer Dereference

CVE-2026-8063 — An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the...

vulnerabilityCVEmedium-severitynull-pointer-dereferencecwe-476
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 1 Sigma

WP-Optimize Plugin Flaw Allows Arbitrary File Deletion, RCE via wp-config.php

CVE-2026-7252 — The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary...

vulnerabilityCVEhigh-severityremote-code-executioncwe-22
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 5 IOCs /⚙ 3 Sigma

CVE-2026-6692: WordPress Slider Revolution RCE Vulnerability

CVE-2026-6692 — The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function....

vulnerabilityCVEhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma