DevOps
The number one mistake of teams running Spring Cloud Config Server in production today is treating the pod filesystem as if it were theirs alone. Shared volume, basedir cloned by JGit, and a namespace neighbor that swaps the path for a symlink at just the right moment. The result is reading and writing files outside the expected directory.
That scenario became CVE-2026-41002 (CVSS 7.4), disclosed on 2026-05-06 and fixed in Spring Cloud Config 4.3.3 and 5.0.3. It is a TOCTOU flaw, and it lands right on the cloud-native architecture most of us use without a second thought. Let's break down what happens and how to lock it down today.