CVE-2026-9035 PUBLISHED

Multiple vulnerabilities in Aspera applications.

Assigner: ibm
Reserved: 19.05.2026 Published: 27.05.2026 Updated: 27.05.2026

IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential arbitrary file read in the asperahttpd component. An authenticated user may be able to take advantage of this vulnerability to access files in the server’s local storage that they should not have access to.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	IBM
Product	Aspera High-Speed Transfer Endpoint
Versions	affected from 3.7.4 to 4.4.7 Fix Pack 1 (incl.)

Vendor	IBM
Product	Aspera High-Speed Transfer Server
Versions	affected from 3.7.4 to 4.4.7 Fix Pack 1 (incl.)

Solutions

Product(s)VRMFRemediation/First FixIBM Aspera High-Speed Transfer Server4.4.7 Fix Pack 2Link to latest release (4.4.7 FP 2)IBM Aspera High-Speed Transfer Endpoint4.4.7 Fix Pack 2Link to latest release (4.4.7 FP 2)

Credits

The vulnerabilities were reported to IBM by Yannik Marchand. finder

References

https://www.ibm.com/support/pages/node/7273615

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE