CVE-2026-22739
Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks
CVSS Score
8.6
EPSS Score
0.0%
EPSS Percentile
4th
Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.
| Vendor | spring |
| Product | spring cloud |
| Ecosystems | |
| Industries | TechnologyEnterprise |
| Published | Mar 24, 2026 |
| Last Updated | Mar 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for spring spring cloud
Be the first to know when new high vulnerabilities affecting spring spring cloud are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low
Affected Versions
Spring / Spring Cloud
3.1.x < 3.1.13 4.1.x < 4.1.9 4.2.x < 4.2.3 4.3.x < 4.3.2 5.0.x < 5.0.2