The vulnerability CVE-2026-41002 affects the Spring Cloud Config Server's handling of the base directory (spring.cloud.config.server.git.basedir) used for cloning Git repositories. A TOCTOU race condition exists where the directory is checked and then used, allowing a potential attacker with high privileges to exploit the timing gap. Affected versions include 3.1.0 through 3.1.13, 4.1.0 through 4.1.9, 4.2.0 through 4.2.6, 4.3.0 through 4.3.2, and 5.0.0 through 5.0.2. Upgrades to later versions (e.g., 3.1.14+, 4.1.10+, 4.2.7+, 4.3.3+, 5.0.3+) are recommended but noted as Enterprise Support Only for some branches. The CVSS 3.1 score is 7.4 (high), reflecting local attack vector, high complexity, required privileges, no user interaction, and impacts to confidentiality and integrity with no impact on availability. No vendor advisory or patch links are provided, and remediation level is unspecified.

Successful exploitation of this TOCTOU race condition could allow an attacker with high privileges on the system to compromise the confidentiality and integrity of the configuration data managed by Spring Cloud Config Server. This could lead to unauthorized access or modification of configuration information. Availability is not impacted. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The description references upgrading to fixed versions (3.1.14+, 4.1.10+, 4.2.7+, 4.3.3+, 5.0.3+) which suggests fixes exist in those versions, but these are noted as Enterprise Support Only for some branches. Users should verify with Spring's official advisories and apply updates accordingly. Until patches are applied, limit high-privilege access to the affected systems to reduce risk.