CVE-2026-41004MEDIUMCVSS 4.4

Spring Cloud Config Server Logged Sensitive Information

Published May 7, 2026·Updated Jun 18, 2026

Description

When trace logging is enabled in Spring Cloud Config Server, sensitive information is placed in plain text in the logs. - Spring Cloud Config 3.0.x: affected from 3.0.0 through 3.0.7 (inclusive); no open-source upgrade available. - Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); no open-source upgrade available. - Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); no open-source upgrade available. - Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); no open-source upgrade available. - Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. - Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Affected Packages (1)

org.springframework.cloud:spring-cloud-config-serverMAVEN

From 3.1.0

Fixed in = 3.1.13

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Start monitoring free