Spring Product Security Update Advisory (CVE-2026-22739)

overview

We have released security updates that address vulnerabilities in Spring products. users of affected products are encouraged to update to the latest version.

affected products

CVE-2026-22739

Spring Cloud Config Version: 3.1.x
Spring Cloud Config version: 4.1.x
Spring Cloud Config version: 4.2.x
Spring Cloud Config version: 4.3.x
Spring Cloud Config version: 5.0.x

resolved vulnerabilities

Arbitrary file access and SSRF vulnerability in Spring Cloud Config (CVE-2026-22739)

vulnerability patches

Vulnerability patches have been made available in the latest update. please follow the instructions on the reference site to update to the latest version of the vulnerability patch.

CVE-2026-22739

Spring Cloud Config version: 3.1.13
Spring Cloud Config version: 4.1.9
Spring Cloud Config version: 4.2.6
Spring Cloud Config version: 4.3.2
Spring Cloud Config version: 5.0.2

references

[1] CVE-2026-22739: Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks
https://spring.io/security/cve-2026-22739