CVE-2026-41004: Spring Cloud Config Server Logged Sensitive Information
(updated )
When trace logging is enabled in Spring Cloud Config Server, sensitive information is placed in plain text in the logs.
- Spring Cloud Config 3.0.x: affected from 3.0.0 through 3.0.7 (inclusive); no open-source upgrade available.
- Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); no open-source upgrade available.
- Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); no open-source upgrade available.
- Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); no open-source upgrade available.
- Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater.
- Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-41004 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →