Vulnerabilities ›

CVE-2026-41002

High

CWE-367 — Weakness Type

                    Published: May 7, 2026                      ·  Modified: May 14, 2026                      ·  Source: NVD                

CVSS v3

7.2

🔗 NVD Official

📄 Description (English)

The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks.
Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

🤖 AI Executive Summary

Spring Cloud Config Server contains a time-of-check-time-of-use (TOCTOU) vulnerability in the base directory used for cloning Git repositories, allowing potential unauthorized access or manipulation. Multiple versions across 3.1.x through 5.0.x branches are affected and require immediate patching.

📄 Description (Arabic)

ثغرة TOCTOU في Spring Cloud Config Server تؤثر على المجلد الأساسي المستخدم لاستنساخ مستودعات Git، مما قد يسمح للمهاجمين بالتلاعب بملفات التكوين أثناء نافذة زمنية حرجة. تؤثر الثغرة على إصدارات متعددة من الإصدار 3.1.0 إلى 5.0.2.

🤖 ملخص تنفيذي (AI)

خادم Spring Cloud Config يحتوي على ثغرة TOCTOU في المجلد الأساسي المستخدم لاستنساخ مستودعات Git، مما يسمح بالوصول غير المصرح به أو التلاعب. تتأثر إصدارات متعددة عبر الفروع 3.1.x حتى 5.0.x وتتطلب تصحيحًا فوريًا.

🤖 AI Intelligence Analysis Analyzed: May 13, 2026 00:45

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

banking telecom government energy

🎯 MITRE ATT&CK Techniques

T1195.002 T1195.003 T1566.002

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Immediately upgrade Spring Cloud Config to patched versions: 3.1.14+, 4.1.10+, 4.2.7+, 4.3.3+, or 5.0.3+. For versions 3.1.x through 4.2.x, contact Enterprise Support for patches. Implement strict file system permissions on the base directory, disable unnecessary Git operations, and monitor configuration server logs for suspicious activities.

🔧 خطوات المعالجة (العربية)

قم بالترقية الفورية إلى إصدارات مصححة: 3.1.14+ أو 4.1.10+ أو 4.2.7+ أو 4.3.3+ أو 5.0.3+. للإصدارات 3.1.x حتى 4.2.x، تواصل مع دعم Enterprise للحصول على التصحيحات. طبق أذونات نظام ملفات صارمة على المجلد الأساسي، وعطل عمليات Git غير الضرورية، ومراقبة سجلات خادم التكوين للأنشطة المريبة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC-1.1 ECC-2.1 ECC-2.2

🔵 SAMA CSF

ID.BE-1 PR.DS-1 PR.DS-2 DE.CM-1

🟡 ISO 27001:2022

A.12.6.1 A.14.2.1 A.14.2.5

🔗 References & Sources 1

🔗

https://spring.io/security/cve-2026-41002

security@vmware.com

Vendor Advisory

📦 Affected Products / CPE 5 entries

vmware:spring_cloud_config

📊 CVSS Score

7.2

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

Attack VectorL — Low / Local

Attack ComplexityH — High

Privileges RequiredH — High

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityH — High

IntegrityH — High

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.2

CWECWE-367

EPSS0.00%

Exploit No

Patch ✗ No

Published 2026-05-07

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-367

🏢 Vendor Advisories

🔗 https://spring.io/security/cve-2026-41002

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-41002

Introduce Yourself

Sign In Required