Spring Cloud Config Server Leaks Secrets in Trace Logs

Executive Summary

Spring Cloud Config Server, a widely used configuration management component for Java microservices, contains an information disclosure vulnerability (CVE-2026-41004, CVSS 4.4) that causes sensitive data — including passwords, API keys, and other secrets — to be written in plaintext to application logs when trace logging is enabled. The flaw affects all supported versions in the 3.1.x and 4.1.x release lines. VMware by Broadcom has released patches, though the fix for the 3.1.x branch is available only to enterprise support customers.

Technical Analysis

According to the advisory published by the Spring engineering team, the vulnerability resides in the TraceRepository component of Spring Cloud Config Server. When an administrator enables trace-level logging — typically for debugging configuration propagation or client-server interactions — the server logs the full request and response payloads, including any sensitive fields stored in the configuration properties themselves.

The advisory, hosted on the official Spring Security vulnerability disclosure page, states: "When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs." No further technical breakdown of the exact code path or affected classes has been released as of this writing.

The CVSS 4.4 score reflects a low attack complexity but a requirement that an attacker already have access to the log files — either through a separate compromise, a misconfigured log aggregation system, or a shared logging infrastructure. The confidentiality impact is rated as high for the exposed secrets, while integrity and availability are unaffected.

Affected Versions

• Spring Cloud Config 3.1.x: versions 3.1.0 through 3.1.13 (inclusive) are affected. Users must upgrade to version 3.1.14 or later. VMware notes that 3.1.x is an enterprise-support-only branch, meaning the patch is not available to open-source community users.
• Spring Cloud Config 4.1.x: versions 4.1.0 through 4.1.9 (inclusive) are affected. Users must upgrade to version 4.1.10 or later. This branch is fully supported for all users.

Earlier release lines (2.x and earlier) are not mentioned in the advisory and may be end-of-life; organizations still running those versions should treat them as unsupported and plan migrations.

Mitigations & Recommendations

Defenders should take the following steps in priority order:

1. Upgrade immediately — For 4.1.x users, upgrade to 4.1.10 or later. For 3.1.x enterprise customers, upgrade to 3.1.14 or later. There are no reported workarounds that fully prevent the information disclosure without patching.
2. Disable trace logging — If an immediate upgrade is not possible, ensure that trace-level logging is disabled on all Spring Cloud Config Server instances. This can be done by setting logging.level.org.springframework.cloud.config.server=trace to WARN or ERROR in application.properties or application.yml. Note that this only prevents new secrets from being logged; any secrets already written to existing log files remain exposed.
3. Audit existing logs — Review log retention policies and scan historical logs for plaintext secrets. If logs are shipped to a centralized SIEM or log management platform, rotate credentials that may have been exposed. Tools like gitleaks or truffleHog can be run against log archives to detect leaked patterns.
4. Restrict log access — Ensure that log files and log streams are access-controlled at the filesystem and network levels. Only authorized operations and security personnel should have read access to production logs.