{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22739", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:54:49.675Z", "datePublished": "2026-03-24T00:16:52.794Z", "dateUpdated": "2026-03-24T14:40:53.515Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-24T00:16:52.794Z"}, "title": "Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks", "affected": [{"vendor": "Spring", "product": "Spring Cloud", "versions": [{"status": "affected", "version": "3.1.x", "lessThan": "3.1.13", "versionType": "custom"}, {"status": "affected", "version": "4.1.x", "lessThan": "4.1.9", "versionType": "custom"}, {"status": "affected", "version": "4.2.x", "lessThan": "4.2.3", "versionType": "custom"}, {"status": "affected", "version": "4.3.x", "lessThan": "4.3.2", "versionType": "custom"}, {"status": "affected", "version": "5.0.x", "lessThan": "5.0.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.<p>This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22739"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "https://spring.io/security/cve-2026-22739"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-22", "lang": "en", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T14:40:20.315216Z", "id": "CVE-2026-22739", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:40:53.515Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22739", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T14:40:20.315216Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:39:35.975Z"}}], "cna": {"title": "Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "https://spring.io/security/cve-2026-22739"}]}], "affected": [{"vendor": "Spring", "product": "Spring Cloud", "versions": [{"status": "affected", "version": "3.1.x", "lessThan": "3.1.13", "versionType": "custom"}, {"status": "affected", "version": "4.1.x", "lessThan": "4.1.9", "versionType": "custom"}, {"status": "affected", "version": "4.2.x", "lessThan": "4.2.3", "versionType": "custom"}, {"status": "affected", "version": "4.3.x", "lessThan": "4.3.2", "versionType": "custom"}, {"status": "affected", "version": "5.0.x", "lessThan": "5.0.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-22739"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.", "supportingMedia": [{"type": "text/html", "value": "Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.<p>This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.</p>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-24T00:16:52.794Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22739", "state": "PUBLISHED", "dateUpdated": "2026-03-24T14:40:53.515Z", "dateReserved": "2026-01-09T06:54:49.675Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-03-24T00:16:52.794Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2."}], "id": "CVE-2026-22739", "lastModified": "2026-03-24T15:53:48.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.7, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-03-24T01:17:00.910", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-22739"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.1.x,3.1.13)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.1.x,4.1.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.2.x,4.2.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.3.x,4.3.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[5.0.x,5.0.2)"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "Spring Cloud", "source": "cna", "vendor": "Spring"}, "product": "spring", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-04-21T23:31:52.802917+00:00", "value": {"mitigation_remediation": ["Upgrade to a supported version: spring cloud 3.1.13 or later, 4.1.9 or later, 4.2.3 or later, 4.3.2 or later, or 5.0.2 or later.", "If an upgrade is not possible, switch the configuration server from the native file\u2011system backend to another supported backend or restrict the profile substitution lookup paths.", "Limit external exposure of the configuration server by applying network segmentation or firewall rules to block unsolicited access.", "Monitor server logs for anomalous profile requests or unexpected file\u2011system activity and investigate any anomalies."], "summary": {"action": "Patch Immediately", "impact": "Unintended file access and SSRF risk"}, "threat_synthesis": {"affected_systems": "Versions of the Spring Cloud framework before 3.1.13, 4.1.9, 4.2.3, 4.3.2, or 5.0.2 are vulnerable when the Config Server is configured to use the native file system as its backend for profile storage. The issue does not affect configurations using other backends or later releases of these major lines.", "description_and_impact": "Spring Cloud Config Server processes profile substitution requests, mapping profile names to files in its search directories. The resolution step accepts unvalidated paths, enabling an attacker to craft a profile value that traverses directories or specifies arbitrary file paths. This allows the attacker to read host files outside the intended configuration directory, potentially exposing sensitive data. The flaw is a file path traversal vulnerability (CWE\u201122) and, because the server may attempt to resolve URLs contained in the profile data, it can also facilitate server\u2011side request forgery attacks against internal or external resources.", "risk_and_exploitability": "The impact score of 8.6 indicates high severity. With an EPSS score of 11% and no current listing in the known exploited vulnerabilities catalog, the likelihood of recent exploitation is low, yet the vulnerability can be exploited remotely by sending crafted HTTP requests to the profile endpoint. No local privileges are required and the compromise is limited to the host running the configuration server, although the SSRF potential could extend damage to internal network resources."}}}}, "created": "2026-03-24T10:29:36.264062+00:00", "updated": "2026-04-21T23:45:02.957877+00:00", "vendors": ["spring", "spring$PRODUCT$spring"]}