Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-41002
PUBLISHED
More InfoOfficial Page
Assigner-vmware
Assigner Org ID-dcf2e128-44bd-42ed-91e8-88f912c1401d
View Known Exploited Vulnerability (KEV) details
Published At-07 May, 2026 | 03:53
Updated At-07 May, 2026 | 03:53
Rejected At-
▼CVE Numbering Authority (CNA)

The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Affected Products
Vendor
VMware (Broadcom Inc.)Spring
Product
Spring Cloud Config
Default Status
unaffected
Versions
Affected
  • From 3.1.0 before 3.1.14 (custom)
  • From 4.1.0 before 4.1.10 (custom)
  • From 4.2.0 before 4.2.7 (custom)
  • From 4.3.0 before 4.3.3 (custom)
  • From 5.0.0 before 5.0.3 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-367CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
Type: CWE
CWE ID: CWE-367
Description: CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
Metrics
VersionBase scoreBase severityVector
3.17.4HIGH
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
Version: 3.1
Base score: 7.4
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
N/AA local privileged attacker who can influence the Git base directory can exploit the TOCTOU race condition to compromise confidentiality and integrity of data cloned by Spring Cloud Config Server.
CAPEC ID: N/A
Description: A local privileged attacker who can influence the Git base directory can exploit the TOCTOU race condition to compromise confidentiality and integrity of data cloned by Spring Cloud Config Server.
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://spring.io/security/cve-2026-41002
N/A
Hyperlink: https://spring.io/security/cve-2026-41002
Resource: N/A
Details not found