Spring Cloud: Files accessed unintentionally from wrong directories

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.6

Spring Cloud: Files accessed unintentionally from wrong directories

CVE-2026-22739

Summary

Some Spring Cloud users may accidentally access files outside of the intended directory. This can happen when using the Config Server with the native file system backend. To fix this, update to Spring Cloud versions 3.1.13, 4.1.9, 4.2.3, 4.3.2, or 5.0.2.

Original title

Original description

Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.

nvd CVSS3.1 8.6

https://spring.io/security/cve-2026-22739

Published: 24 Mar 2026 · Updated: 24 Mar 2026 · First seen: 24 Mar 2026