Cyber Resilience

CVE-2026-22739

High

Published: 24 March 2026

Published
24 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0122 64.8th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-22739 is a high-severity Path Traversal (CWE-22) vulnerability in Spring Cloud (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22739 is a path traversal vulnerability (CWE-22) in Spring Cloud Config Server when the native file system backend is in use. The flaw occurs during substitution of the profile parameter supplied in a request, allowing access to files outside the configured search directories. It affects Spring Cloud versions 3.1.X before 3.1.13, 4.1.X before 4.1.9, 4.2.X before 4.2.3, 4.3.X before 4.3.2, and 5.0.X before 5.0.2, and carries a CVSS 3.1 score of 8.6.

An unauthenticated remote attacker can send a crafted request to the Config Server and read arbitrary files on the underlying file system. Successful exploitation yields high-impact disclosure of sensitive configuration data along with limited modification and availability effects.

The Spring advisory at https://spring.io/security/cve-2026-22739 directs users to upgrade to the fixed releases listed above.

EPSS for the CVE rose from a low baseline to a peak of 0.1498 on 2026-04-13 before receding to the current value of 0.0968, indicating a period of increased exploitation interest after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search…

more

directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing Spring Cloud Config Server enables exploitation of public-facing applications (T1190) and unauthorized reading of sensitive files from the local system (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66687Shared CWE-22
CVE-2025-26753Shared CWE-22
CVE-2025-44177Shared CWE-22
CVE-2023-42226Shared CWE-22
CVE-2026-39859Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2025-8343Shared CWE-22
CVE-2026-23939Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2025-69411Shared CWE-22

Affected Assets

Spring
Cloud
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the path traversal vulnerability by requiring timely remediation through patching Spring Cloud Config Server to fixed versions such as 3.1.13 or later.

prevent

Validates the profile parameter in incoming requests to block path traversal sequences like '../' that enable access to files outside configured search directories.

prevent

Enforces logical access controls on file system resources to restrict reads to only approved directories, limiting exploitation impact even if input validation fails.

References