This vulnerability (CVE-2026-40981) involves an authorization bypass in Spring Cloud Config when configured to use Google Secrets Manager as a backend. A malicious client can craft requests that potentially expose secrets from Google Cloud projects that should not be accessible. Affected versions span multiple release lines from 3.1.0 through 5.0.2, with fixed versions released for each line. The CVSS 3.1 vector indicates the vulnerability is remotely exploitable over the network without authentication or user interaction, with a high impact on confidentiality but no impact on integrity or availability. The vulnerability is categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). The vendor provides patches and manages remediation for this cloud-hosted service.

Successful exploitation can lead to unauthorized disclosure of sensitive secrets stored in Google Cloud projects via the Spring Cloud Config server. This confidentiality breach could expose credentials or other sensitive configuration data across unintended projects. There is no impact on integrity or availability reported. No known exploits in the wild have been documented as of the publication date.

Patches are available for all affected versions: upgrade to Spring Cloud Config 3.1.14 or later, 4.1.10 or later, 4.2.7 or later, 4.3.3 or later, or 5.0.3 or later as applicable. Since this is a cloud-hosted service, the vendor typically manages remediation server-side; users should verify with the vendor advisory for confirmation and ensure their instances are updated accordingly. No additional mitigation steps are indicated by the vendor advisory.