CVE-2026-22739
published 2026-03-24CVE-2026-22739: Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file…
PriorityP265high8.6CVSS 3.1
AVNACLPRNUINSUCHILAL
EXPLOIT
EPSS
1.22%
64.9th percentile
Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| spring | spring_cloud | >= 3.1.x < 3.1.13 | 3.1.13 |
| spring | spring_cloud | >= 4.1.x < 4.1.9 | 4.1.9 |
| spring | spring_cloud | >= 4.2.x < 4.2.3 | 4.2.3 |
| spring | spring_cloud | >= 4.3.x < 4.3.2 | 4.3.2 |
| spring | spring_cloud | >= 5.0.x < 5.0.2 | 5.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/application/..%2F..%2F..%2F..%2F..%2Fetc
url{{BaseURL}}/application/..%2F..%2F..%2F..%2F..%2Fetc/main
url{{BaseURL}}/application/..%252F..%252F..%252F..%252F..%252Fetc
url{{BaseURL}}/application/default%2C..%2F..%2F..%2F..%2F..%2Fetc
othershodan-query: http.html:"propertySources"
otherfofa-query: body="propertySources" && body="profiles" && body="label"
- →Probe for Spring Cloud Config Server exposure by checking for 'propertySources', '"profiles"', and '"label"' all present in the response body of GET /application/default
- →Path traversal payloads use URL-encoded and double-URL-encoded dot-dot-slash sequences in the profile parameter (e.g. ..%2F, ..%252F) and comma-separated profile injection (default%2C..%2F...) targeting /etc on the server
- →Successful exploitation is confirmed when the HTTP response body contains Unix /etc/passwd-style content matching 'root:.*:0:0' or '"root":"x:0:0:' with HTTP 200 and Content-Type application/json
- →The vulnerability is in the profile parameter substitution path of Spring Cloud Config Server when using the native file system backend (CWE-22 path traversal) ↗
- →Affected Maven artifact is org.springframework.cloud:spring-cloud-config-server; scan for this dependency in Java application manifests ↗
- ·Vulnerability only affects Spring Cloud Config Server instances configured to use the native file system as a backend; non-native backends (e.g. Git) are not affected ↗
- ·Exploit requires a crafted HTTP request; unauthenticated remote exploitation is possible (CVSS AV:N/AC:L/PR:N/UI:N)
- ·The Nuclei template uses a two-step flow: step 1 confirms the target is a Spring Cloud Config Server, step 2 fires traversal payloads — false positives are reduced but not eliminated
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Spring Cloud Config Server: Path Traversal via Profile Parameter Allows Arbitrary File Access
osv·2026-03-24
CVE-2026-22739 [HIGH] Spring Cloud Config Server: Path Traversal via Profile Parameter Allows Arbitrary File Access
Spring Cloud Config Server: Path Traversal via Profile Parameter Allows Arbitrary File Access
Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.
GHSA
Spring Cloud Config Server: Path Traversal via Profile Parameter Allows Arbitrary File Access
ghsa·2026-03-24
CVE-2026-22739 [HIGH] CWE-22 Spring Cloud Config Server: Path Traversal via Profile Parameter Allows Arbitrary File Access
Spring Cloud Config Server: Path Traversal via Profile Parameter Allows Arbitrary File Access
Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.
No detection rules found.
Nuclei
Spring Cloud Config Server - Path Traversal
nuclei·CVSS 8.6
CVE-2026-22739 [HIGH] Spring Cloud Config Server - Path Traversal
Spring Cloud Config Server - Path Traversal
Spring Cloud 3.1.x < 3.1.13, 4.1.x < 4.1.9, 4.2.x < 4.2.3, 4.3.x < 4.3.2, and 5.0.x < 5.0.2 contain a path traversal caused by profile parameter substitution in Config Server using native file system backend, letting attackers access files outside configured directories, exploit requires crafted request.
Template:
id: CVE-2026-22739
info:
name: Spring Cloud Config Server - Path Traversal
author: 0x_Akoko,vulnh0lic
severity: high
description: |
Spring Cloud 3.1.x < 3.1.13, 4.1.x < 4.1.9, 4.2.x < 4.2.3, 4.3.x < 4.3.2, and 5.0.x < 5.0.2 contain a path traversal caused by profile parameter substitution in Config Server using native file system backend, letting attackers access files outside configured directories, exploit requires crafted request
2026-03-24
Published