AIKIDO-2026-10773

spring-cloud-config-server is vulnerable to Authorization Bypass Through User-Controlled Key

Authorization Bypass Through User-Controlled KeyCVE-2026-40981 Published May 8, 2026

High Risk

This Affects:

spring-cloud-config-server

0.0.1 - 3.1.13

Fixed in 3.1.14

4.0.0 - 4.1.9

Fixed in 4.1.10

4.2.0 - 4.2.6

Fixed in 4.2.7

4.3.0 - 4.3.2

Fixed in 4.3.3

5.0.0 - 5.0.2

Fixed in 5.0.3

Are you affected? Scan for Free

TL;DR

Affected versions of spring-cloud-config-server using Google Secrets Manager as a backend allow a client to craft requests that may expose secrets from unintended GCP projects accessible by the Config Server. The issue occurs because project access is not sufficiently restricted when resolving secrets, potentially allowing unauthorized cross-project secret access.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and you are using Google Secrets Manager.

Background info

spring-cloud-config-server is vulnerable to Authorization Bypass Through User-Controlled Key in versions 0.0.1 - 3.1.13, 4.0.0 - 4.1.9, 4.2.0 - 4.2.6, 4.3.0 - 4.3.2 and 5.0.0 - 5.0.2.

How to fix this

Upgrade the org.springframework.cloud:spring-cloud-config-server library to a patch version or set spring.cloud.config.server.gcp-secret-manager.token-mandatory=true.

High Risk