Vulnerability Reporthyness/spring-cloud-config-server:5.0-jdk21

hyness/spring-cloud-config-server:jdk21hyness/spring-cloud-config-server:5.0.3-569460f-jdk21hyness/spring-cloud-config-server:5.0-jdk21

DIGESTsha256:2b8c0789112cddae0379a81aaeb26f8aea7af894b81623d4069cacd68bc4899f

Executive Summary

Threat ScoreDANGEROUS• Exposed to 64 vulnerabilities, including 15 with severity >=6.0 and 2 with severity >=7.0 (CVE-2026-42581, CVE-2026-40976).• Critical HTTP request smuggling in Netty (CVE-2026-42581, CVSS 8.3) allows external attackers to bypass security controls.• Potential security bypass in Spring Boot default web security (CVE-2026-40976, CVSS 7.7) could expose all endpoints if default config is used.• Multiple high-severity DoS vulnerabilities in Netty (e.g., CVE-2026-42587) enable remote OOM crashes without authentication.• Image is from a reliable community publisher (18M+ pulls), but vulnerabilities far outweigh trust.• No post-exploit vulnerabilities present, but exposed surface risks are critical.

88/100DANGEROUS

ReputationPOPULAR COMMUNITY• High Reputation Community Image (18M+ pulls)• Pinned by digest (Immutable)

RELIABLE

This image poses a critical security risk and must not be used in production, especially as an internet-facing service. An attacker could exploit request smuggling to bypass security controls or exploit the Spring Boot default security bypass to gain unauthorized access to sensitive configuration data. Upgrading to patched versions of Netty (4.2.13.Final/4.1.133.Final) and Spring Boot (4.0.6) would resolve the critical findings. Note that CVE-2026-40976 only applies if the config server relies on default Spring Boot security; however, other vulnerabilities require no special configuration.

Vulnerabilities

Vulnerability Log

99 total

CVE ID	Adjusted Severity	Package	Exploit Probability	Risk Context
CVE-2026-42581	HIGH8.33	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-40976	HIGH7.73	org.springframework.boot:spring-boot 4.0.5 fixed in 4.0.6	0.4% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-45674	MEDIUM6.8	io.netty:netty-resolver-dns 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-47691	MEDIUM6.8	io.netty:netty-resolver-dns 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42585	MEDIUM6.38	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.2% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-42587	MEDIUM6.38	io.netty:netty-codec-http2 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.5% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-48043	MEDIUM6.38	io.netty:netty-codec-http2 4.2.12.Final fixed in 4.1.135.Final, 4.2.15.Final	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-45416	MEDIUM6.38	io.netty:netty-handler 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.6% Theoretical Threat	Directly ExposedContext importance: HIGH
CVE-2026-5598	MEDIUM6.38	org.bouncycastle:bcprov-jdk18on 1.81 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-34182	MEDIUM6.29	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Directly Exposed
CVE-2026-40542	MEDIUM6.21	org.apache.httpcomponents.client5:httpclient5 5.6 fixed in 5.6.1	0.6% Theoretical Threat	Directly Exposed
CVE-2026-41293	MEDIUM6.21	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42579	MEDIUM6.18	io.netty:netty-codec-dns 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42584	MEDIUM6.18	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.3% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-40973	MEDIUM5.95	org.springframework.boot:spring-boot 4.0.5 fixed in 4.0.6, 3.5.14	0.1% Theoretical Threat	Directly Exposed
CVE-2026-45673	MEDIUM5.78	io.netty:netty-resolver-dns 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-4437	MEDIUM5.52	libc6 2.39-0ubuntu8.7 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-6238	MEDIUM5.52	libc6 2.39-0ubuntu8.7 No fix yet	0.3% Theoretical Threat	Directly Exposed
CVE-2026-41417	MEDIUM5.52	io.netty:netty-codec-http 4.2.12.Final fixed in 4.1.133.Final, 4.2.13.Final	0.3% Theoretical Threat	Directly Exposed
CVE-2026-42580	MEDIUM5.52	io.netty:netty-codec-http 4.2.12.Final fixed in 4.2.13.Final, 4.1.133.Final	0.4% Theoretical Threat	Directly Exposed
CVE-2026-43512	MEDIUM5.52	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	0.6% Theoretical Threat	Directly Exposed
CVE-2026-34487	MEDIUM5.52	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.117, 10.1.54, 11.0.21	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42498	MEDIUM5.52	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	0.5% Theoretical Threat	Directly Exposed
CVE-2026-0636	MEDIUM5.52	org.bouncycastle:bcprov-jdk18on 1.81 fixed in 1.84	0.5% Theoretical Threat	Directly Exposed
CVE-2026-41726	MEDIUM5.52	org.springframework.kafka:spring-kafka 4.0.4 fixed in 4.0.6, 3.3.16	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22753	MEDIUM5.52	org.springframework.security:spring-security-config 7.0.4 fixed in 7.0.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22740	MEDIUM5.52	org.springframework:spring-webflux 7.0.6 fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2025-59250	MEDIUM5.5	com.microsoft.sqlserver:mssql-jdbc 13.2.1 fixed in 10.2.4.jre11, 11.2.4.jre11, 12.2.1.jre11, 12.6.5.jre11, 12.8.2.jre11, 12.10.2.jre11, 13.2.1.jre11	0.7% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-44249	MEDIUM5.5	io.netty:netty-handler 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-22747	MEDIUM5.5	org.springframework.security:spring-security-web 7.0.4 fixed in 7.0.5	0.2% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42578	MEDIUM5.1	io.netty:netty-handler-proxy 4.2.12.Final fixed in 4.1.133.Final, 4.2.13.Final	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-42198	MEDIUM5.1	org.postgresql:postgresql 42.7.10 fixed in 42.7.11	0.4% Theoretical Threat	Directly ExposedContext importance: MEDIUM
CVE-2026-5435	MEDIUM5.02	libc6 2.39-0ubuntu8.7 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-42770	MEDIUM5.02	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Directly Exposed
CVE-2026-9076	MEDIUM5.02	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webflux 7.0.6 fixed in 7.0.7, 6.2.18	0.2% Theoretical Threat	Directly Exposed
CVE-2026-22741	MEDIUM5.02	org.springframework:spring-webmvc 7.0.6 fixed in 7.0.7, 6.2.18	0.2% Theoretical Threat	Directly Exposed
CVE-2026-7383	MEDIUM4.67	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34483	MEDIUM4.59	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.116, 10.1.54, 11.0.21	0.5% Theoretical Threat	Directly Exposed
CVE-2026-4046	MEDIUM4.5	libc6 2.39-0ubuntu8.7 No fix yet	0.4% Theoretical Threat	Directly Exposed
CVE-2026-42766	MEDIUM4.5	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.6% Theoretical Threat	Directly Exposed
CVE-2026-42767	MEDIUM4.5	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Directly Exposed
CVE-2026-47244	MEDIUM4.5	io.netty:netty-codec-http2 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.5% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webflux 7.0.6 fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2026-22745	MEDIUM4.5	org.springframework:spring-webmvc 7.0.6 fixed in 7.0.7, 6.2.18	0.3% Theoretical Threat	Directly Exposed
CVE-2026-34180	MEDIUM4.25	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.5% Theoretical Threat	Directly Exposed
CVE-2026-22751	MEDIUM4.08	org.springframework.security:spring-security-core 7.0.4 fixed in 6.5.10, 7.0.5	0.1% Theoretical Threat	Directly Exposed
CVE-2026-22754	LOW3.83	org.springframework.security:spring-security-config 7.0.4 fixed in 7.0.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-4438	LOW3.4	libc6 2.39-0ubuntu8.7 No fix yet	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-epoll 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45536	LOW3.4	io.netty:netty-transport-native-kqueue 4.2.12.Final fixed in 4.2.15.Final, 4.1.135.Final	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45446	LOW3.15	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Directly Exposed
CVE-2026-43514	LOW3.15	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	0.4% Theoretical Threat	Directly Exposed
CVE-2026-22746	LOW3.15	org.springframework.security:spring-security-core 7.0.4 fixed in 6.5.10, 7.0.5	0.2% Theoretical Threat	Directly Exposed
CVE-2026-45447	LOW2.92	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-45447	LOW2.92	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	1.4% Low-Moderate Risk	Post-Exploit
CVE-2026-7383	LOW2.8	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	libssl3t64 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-45445	LOW2.78	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-42766	LOW2.7	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.6% Theoretical Threat	Post-Exploit
CVE-2026-42767	LOW2.7	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-34180	LOW2.55	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.5% Theoretical Threat	Post-Exploit
CVE-2026-44894	LOW2.29	io.netty:netty-codec-classes-quic 4.2.12.Final fixed in 4.2.15.Final	0.2% Theoretical Threat	Post-Exploit
CVE-2026-34182	LOW2.26	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Post-Exploit
CVE-2026-45446	LOW1.89	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Post-Exploit
CVE-2026-42770	LOW1.81	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.2% Theoretical Threat	Post-Exploit
CVE-2026-9076	LOW1.81	openssl 3.0.13-0ubuntu3.9 fixed in 3.0.13-0ubuntu3.11	0.3% Theoretical Threat	Post-Exploit
CVE-2026-33811	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Not Applicable
CVE-2026-33814	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-39820	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-39836	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-33811	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	0.5% Theoretical Threat	Not Applicable
CVE-2026-33814	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-39820	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-39836	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-39826	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-39826	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42583	NONE0	io.netty:netty-codec-compression 4.2.12.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-42582	NONE0	io.netty:netty-codec-http3 4.2.12.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-44892	NONE0	io.netty:netty-codec-http3 4.2.12.Final fixed in 4.2.15.Final	0.5% Theoretical Threat	Not Applicable
CVE-2026-42577	NONE0	io.netty:netty-transport-native-epoll 4.2.12.Final fixed in 4.2.13.Final	0.4% Theoretical Threat	Not Applicable
CVE-2026-43515	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	0.4% Theoretical Threat	Not Applicable
CVE-2026-41284	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	0.8% Theoretical Threat	Not Applicable
CVE-2026-43513	NONE0	org.apache.tomcat.embed:tomcat-embed-core 11.0.20 fixed in 9.0.118, 10.1.55, 11.0.22	0.5% Theoretical Threat	Not Applicable
CVE-2026-41731	NONE0	org.springframework.kafka:spring-kafka 4.0.4 fixed in 4.0.6, 3.3.16	0.3% Theoretical Threat	Not Applicable
GHSA-2m67-wjpj-xhg9	NONE0	tools.jackson.core:jackson-core 3.1.0 fixed in 3.1.1	—	Not Applicable
CVE-2026-39823	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib v1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib v1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-39823	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	0.3% Theoretical Threat	Not Applicable
CVE-2026-39825	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	0.4% Theoretical Threat	Not Applicable
CVE-2026-42499	NONE0	stdlib 1.26.2 fixed in 1.25.10, 1.26.3	0.6% Theoretical Threat	Not Applicable
CVE-2026-42504	NONE0	stdlib 1.26.2 fixed in 1.25.11, 1.26.4	0.4% Theoretical Threat	Not Applicable
CVE-2026-27145	NONE0	stdlib 1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable
CVE-2026-42507	NONE0	stdlib 1.26.2 fixed in 1.25.11, 1.26.4	0.3% Theoretical Threat	Not Applicable