- Security updates have been released to address vulnerabilities in Spring products.
- the affected products are Spring Cloud Config and Spring AI.
- The vulnerabilities addressed in Spring Cloud Config are CVE-2026-40981, CVE-2026-40982, and CVE-2026-41002.
- CVE-2026-40981 is a privilege bypass vulnerability.
- CVE-2026-40982 is a Directory Path Manipulation vulnerability.
- CVE-2026-41002 is a TOCTOU race condition vulnerability.
- CVE-2026-41705 is a race condition vulnerability in Spring AI.
- CVE-2026-41705 is an expression injection vulnerability.
- affected Versions of Spring Cloud Config are 3.1.14 and earlier, 4.1.10 and earlier, 4.2.7 and earlier, 4.3.3 and earlier, and 5.0.3 and earlier.
- affected Versions of Spring AI are 1.0.0 and above but below 1.0.7 and 1.1.0 and above but below 1.1.6.
- a patch has been made available in the latest update, and users of affected products should follow the instructions to update to the latest version of the Vulnerability Patch.
- the advisories referenced include Spring Cloud Config Clients Can Access Secrets From Any Project The Config Server Has Access To On Google Secrets Manager, Directory Traversal with spring-cloud-config-server, Spring Cloud Config Server Susceptible To TOCTOU Attack, Expression injection in MilvusVectorStore doDelete allows data destruction.
