CVE-2026-40981 – Spring Cloud Config and Spring AI
“When configuration and AI layers fail, attackers gain control over both data and logic.”
This patch addresses multiple vulnerabilities across Spring Cloud Config and Spring AI that impact input validation, access control, and request handling. These issues could allow unauthorized access, data exposure, or manipulation of application behavior in affected environments. CVE-2026-40982 has a CVSS score of 9.1, which is Critical severity. CVE-2026-41002 has a CVSS score of 7.4, which is High severity. CVE-2026-40981 has a CVSS score of 7.5, which is High severity. CVE-2026-41713 has a CVSS score of 8.2, which is High severity. CVE-2026-41712 has a CVSS score of 7.5, which is High severity. CVE-2026-41705 has a CVSS score of 8.6, which is High severity.
No verified exploitation has been confirmed. However, the presence of a Critical vulnerability alongside multiple High severity issues significantly increases risk, especially in cloud-native applications and AI-driven services that rely on these components for configuration management and intelligent processing.
Key Details
- Affected Product
- Vmware Spring Cloud Config
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-639