Home

Description

The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

PUBLISHED Reserved 2026-04-16 | Published 2026-05-07 | Updated 2026-05-07 | Assigner vmware




HIGH: 7.4CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

Problem types

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

Product status

Default status
unaffected

3.1.0 (custom) before 3.1.14
affected

4.1.0 (custom) before 4.1.10
affected

4.2.0 (custom) before 4.2.7
affected

4.3.0 (custom) before 4.3.3
affected

5.0.0 (custom) before 5.0.3
affected

References

spring.io/security/cve-2026-41002

cve.org (CVE-2026-41002)

nvd.nist.gov (CVE-2026-41002)

Download JSON