Spring Cloud Config 4.2.x Release Notes

3 versions

Comprehensive release notes and changelog for Spring Cloud Config 4.2.x, including security patches, bug fixes, and feature updates across all supported versions.

May 7, 2026

Latest: 4.2.7

21 Patched Vulnerabilities

VEX Statements

May 2026

4.2.7

Released May 7, 2026

Full Version:

4.2.4-spring-cloud-config-4.2.7

Bug Fixes

GCP Secret Manager backend restricts secret retrieval to an allow-list of project IDs (CVE-2026-40981).
Directory traversal in spring-cloud-config-server resource lookups hardened with name, profile, and path validation (CVE-2026-40982).
File system manipulation hardened when using Git-backed repositories (CVE-2026-41002).
AWS CodeCommit credential provider no longer logs credentials at trace level (CVE-2026-41004).

March 2026

4.2.6

Released Mar 26, 2026

CVE-2026-22739

Full Version:

4.2.4-spring-cloud-config-4.2.6

Bug Fixes

Spring Cloud Config profile substitution can allow unintended access to files and enable SSRF attacks (CVE-2026-22739).

February 2026

4.2.5

Released Feb 4, 2026

Full Version:

4.2.4-spring-cloud-config-4.2.5

Notes

This release originates from the open‑source Spring Cloud Config repository forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds. This release contains no functional changes from Spring Cloud Config 4.2.4.

Dependency Upgrades

Spring Cloud Build (NES) 4.2.4-spring-cloud-build-4.2.5
Spring Cloud Bus (NES) 4.2.2-spring-cloud-bus-4.2.3
Spring Cloud Commons (NES) 4.2.4-spring-cloud-commons-4.2.5

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team