CVE-2026-22739

HIGH NUCLEI

Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks

Title source: cna

Description

Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.

Nuclei Templates (1)

Spring Cloud Config Server - Path Traversal

HIGHVERIFIEDby 0x_Akoko,vulnh0lic

Shodan: http.html:"propertySources"

FOFA: body="propertySources" && body="profiles" && body="label"

References (1)

https://spring.io/security/cve-2026-22739

Scores

CVSS v3 8.6

EPSS 0.1128

EPSS Percentile 93.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Details

CWE

CWE-22

Status published

Products (6)

org.springframework.cloud/spring-cloud-config-server 4.3.0 - 4.3.2Maven

Spring/Spring Cloud 3.1.x - 3.1.13

Spring/Spring Cloud 4.1.x - 4.1.9

Spring/Spring Cloud 4.2.x - 4.2.3

Spring/Spring Cloud 4.3.x - 4.3.2

Spring/Spring Cloud 5.0.x - 5.0.2

Published Mar 24, 2026

Tracked Since Mar 24, 2026