CVE-2026-22739
Published: 24 March 2026
Summary
CVE-2026-22739 is a high-severity Path Traversal (CWE-22) vulnerability in Spring Cloud (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22739 is a path traversal vulnerability (CWE-22) in Spring Cloud Config Server when the native file system backend is in use. The flaw occurs during substitution of the profile parameter supplied in a request, allowing access to files outside the configured search directories. It affects Spring Cloud versions 3.1.X before 3.1.13, 4.1.X before 4.1.9, 4.2.X before 4.2.3, 4.3.X before 4.3.2, and 5.0.X before 5.0.2, and carries a CVSS 3.1 score of 8.6.
An unauthenticated remote attacker can send a crafted request to the Config Server and read arbitrary files on the underlying file system. Successful exploitation yields high-impact disclosure of sensitive configuration data along with limited modification and availability effects.
The Spring advisory at https://spring.io/security/cve-2026-22739 directs users to upgrade to the fixed releases listed above.
EPSS for the CVE rose from a low baseline to a peak of 0.1498 on 2026-04-13 before receding to the current value of 0.0968, indicating a period of increased exploitation interest after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14664
Vulnerability details
Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search…
more
directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing Spring Cloud Config Server enables exploitation of public-facing applications (T1190) and unauthorized reading of sensitive files from the local system (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the path traversal vulnerability by requiring timely remediation through patching Spring Cloud Config Server to fixed versions such as 3.1.13 or later.
Validates the profile parameter in incoming requests to block path traversal sequences like '../' that enable access to files outside configured search directories.
Enforces logical access controls on file system resources to restrict reads to only approved directories, limiting exploitation impact even if input validation fails.