CVE-2026-40987 PUBLISHED

Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization

Assigner: vmware
Reserved: 16.04.2026 Published: 11.06.2026 Updated: 11.06.2026

A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content.

Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L
CVSS Score: 7.1

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	High
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	Spring
Product	Spring Integration
Versions	Default: unaffected affected from 7.0.0 to 7.0.5 (excl.) affected from 6.5.0 to 6.5.9 (excl.) affected from 6.4.0 to 6.4.12 (excl.) affected from 6.3.0 to 6.3.15 (excl.) affected from 5.5.0 to 5.5.21 (excl.)

References

https://spring.io/security/cve-2026-40987

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) CWE

Impacts

A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem outside the configured local-directory with attacker-controlled content.