HeroDevs
Visit NES for Spring Home Page

Spring Cloud Config 3.0.x Release Notes

3 versions

Comprehensive release notes and changelog for Spring Cloud Config 3.0.x, including security patches, bug fixes, and feature updates across all supported versions.

May 7, 2026
Latest: 3.0.10
21 Patched Vulnerabilities
VEX Statements

May 2026

3.0.10

Released May 7, 2026
CVE-2026-40982
CVE-2026-41002
CVE-2026-41004
Full Version: 
3.0.7-spring-cloud-config-3.0.10

Bug Fixes

  • Directory traversal in spring-cloud-config-server resource lookups hardened with name, profile, and path validation (CVE-2026-40982).
  • File system manipulation hardened when using Git-backed repositories (CVE-2026-41002).
  • AWS CodeCommit credential provider no longer logs credentials at trace level (CVE-2026-41004).

March 2026

3.0.9

Released Mar 26, 2026
CVE-2026-22739
Full Version: 
3.0.7-spring-cloud-config-3.0.9

Bug Fixes

  • Spring Cloud Config profile substitution can allow unintended access to files and enable SSRF attacks (CVE-2026-22739).

3.0.8

Released Mar 11, 2026
CVE-2025-22232
Full Version: 
3.0.7-spring-cloud-config-3.0.8

Bug Fixes

  • Under certain conditions, the Vault token header may not be used in client requests to Vault (CVE-2025-22232).

Notes

  • This release originates from the open‑source Spring Cloud Config repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Cloud Config 3.0.7.

Dependency Upgrades

  • Spring Cloud Build (NES) 3.0.5-spring-cloud-build-3.0.6
  • Spring Cloud Bus (NES) 3.0.3-spring-cloud-bus-3.0.4
  • Spring Cloud Commons (NES) 3.0.6-spring-cloud-commons-3.0.7
  • Spring Vault (NES) 2.3.4-spring-vault-2.3.12

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.