Spring Cloud Config Server Vulnerable to TOCTOU Attacks (CVE-2026-41002)

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-367
Spring Cloud Config Server Vulnerable to TOCTOU Attacks (CVE-2026-41002)

The National Vulnerability Database (NVD) has detailed CVE-2026-41002, a high-severity (CVSS 7.2) time-of-check-time-of-use (TOCTOU) vulnerability affecting Spring Cloud Config Server. Specifically, the base directory (spring.cloud.config.server.git.basedir) used for cloning Git repositories is susceptible. This flaw allows an attacker to manipulate the file system between the time the server checks a file’s state and the time it uses it, potentially leading to unauthorized file access or modification.

This isn’t a theoretical issue; TOCTOU vulnerabilities can be exploited for privilege escalation or to bypass security controls, especially in environments where the Config Server handles sensitive configurations or credentials. An attacker with local access, or potentially through other vulnerabilities, could exploit this to redirect file operations to arbitrary locations. The NVD specifies affected versions across Spring Cloud Config 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x.

Defenders need to prioritize patching. For Spring Cloud Config 3.1.x, upgrade to 3.1.14 or greater (Enterprise Support Only); for 4.1.x, upgrade to 4.1.10 or greater (Enterprise Support Only); for 4.2.x, upgrade to 4.2.7 or greater (Enterprise Support Only); for 4.3.x, upgrade to 4.3.3 or greater; and for 5.0.x, upgrade to 5.0.3 or greater. Failing to update leaves a significant attack surface open for an attacker to pivot from a limited foothold to potentially sensitive data or broader system compromise.

What This Means For You

  • If your organization uses Spring Cloud Config Server, you are exposed to CVE-2026-41002. Immediately identify all instances of Spring Cloud Config Server in your environment and apply the recommended patches to mitigate this TOCTOU vulnerability. Audit your configuration management systems for any unauthorized changes or access attempts.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Spring Cloud Config Server TOCTOU Base Directory Manipulation - CVE-2026-41002

Sigma YAML — free preview 
title: Spring Cloud Config Server TOCTOU Base Directory Manipulation - CVE-2026-41002
id: scw-2026-05-07-ai-1
status: experimental
level: high
description: |
  Detects attempts to manipulate the base directory used by Spring Cloud Config Server for cloning Git repositories. This rule specifically looks for file modifications within paths that are likely to be targeted during a TOCTOU attack against the `spring.cloud.config.server.git.basedir` configuration, aiming to exploit the vulnerability (CVE-2026-41002).
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41002/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: file_event
detection:
  selection:
      TargetFilename|contains:
          - '/.git/'
      TargetFilename|contains:
          - '/config/'
      TargetFilename|contains:
          - '/repo/'
      EventType|exact:
          - 'modification'
  selection_base:
      TargetFilename|contains:
          - 'spring.cloud.config.server.git.basedir'
  condition: selection AND selection_base
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41002 Race Condition Spring Cloud Config Server base directory (spring.cloud.config.server.git.basedir) susceptible to TOCTOU attacks
CVE-2026-41002 Misconfiguration Spring Cloud Config 3.1.x versions 3.1.0 through 3.1.13
CVE-2026-41002 Misconfiguration Spring Cloud Config 4.1.x versions 4.1.0 through 4.1.9
CVE-2026-41002 Misconfiguration Spring Cloud Config 4.2.x versions 4.2.0 through 4.2.6
CVE-2026-41002 Misconfiguration Spring Cloud Config 4.3.x versions 4.3.0 through 4.3.2

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 07:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8063 — Null Pointer Dereference

CVE-2026-8063 — An authenticated user can crash mongod when running $rankFusion or $scoreFusion with an empty pipeline on a view. When resolving a view, the...

vulnerabilityCVEmedium-severitynull-pointer-dereferencecwe-476
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 1 Sigma

WP-Optimize Plugin Flaw Allows Arbitrary File Deletion, RCE via wp-config.php

CVE-2026-7252 — The WP-Optimize – Cache, Compress images, Minify & Clean database to boost page speed & performance plugin for WordPress is vulnerable to arbitrary...

vulnerabilityCVEhigh-severityremote-code-executioncwe-22
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 5 IOCs /⚙ 3 Sigma

CVE-2026-6692: WordPress Slider Revolution RCE Vulnerability

CVE-2026-6692 — The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the '_get_media_url' and '_check_file_path' function....

vulnerabilityCVEhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 3 IOCs /⚙ 3 Sigma