← back
CVE-2026-40987

Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization

CVSS 7.1 HIGHEPSS 0.2%CWE-22
A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L
Affected products
Spring · Spring Integration
public PoCs found1
githubgithub.com/daehyuh/CVE-2026-409870
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://spring.io/security/cve-2026-40987