Skip to main content

Spring CVE-2026-2817

MEDIUM
Creation of Temporary File With Insecure Permissions (CWE-378)
2026-02-19 36c7be3b-2937-45df-85ea-ca7133ea542c
4.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.4 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Red Hat
4.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:03 vuln.today
CVE Published
Feb 19, 2026 - 18:25 nvd
MEDIUM 4.4

DescriptionCVE.org

Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of cache data.

AnalysisAI

Spring Data Geode's snapshot import functionality uses predictable temporary directories with overly permissive permissions, allowing local users on shared systems to read cache data belonging to other users. An attacker with basic local privileges can access and extract snapshot contents without authorization, compromising the confidentiality of sensitive cached information. No patch is currently available for this medium-severity vulnerability.

Technical ContextAI

Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of cache data.

Affected ProductsAI

Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp locati

RemediationAI

Monitor vendor advisories for a patch.

More in Spring

View all
CVE-2025-41243 CRITICAL POC
10.0 Sep 16

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. Rated critical severi

CVE-2025-70982 CRITICAL POC
9.9 Jan 26

Access control bypass in SpringBlade v4.5.0 importUser function allows low-privileged users to import sensitive user dat

CVE-2025-41242 MEDIUM POC
5.9 Aug 18

Spring Framework MVC applications can be vulnerable to a “Path Traversal Vulnerability” when deployed on a non-compliant

CVE-2025-70983 CRITICAL
9.9 Jan 23

SpringBlade v4.5.0 has an access control flaw in authRoutes allowing low-privileged users to escalate to admin through t

CVE-2025-41232 CRITICAL
9.1 May 21

Spring Security Aspects may not correctly locate method security annotations on private methods. Rated critical severity

CVE-2025-22235 HIGH
7.3 Apr 28

EndpointRequest.to() creates a matcher for null/** if the actuator endpoint, for which the EndpointRequest has been crea

CVE-2026-22718 MEDIUM
6.8 Jan 14

Arbitrary command execution in the VSCode Spring CLI extension allows local users with interactive access to execute arb

CVE-2025-41234 MEDIUM
6.5 Jun 12

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to

CVE-2025-22223 MEDIUM
5.3 Mar 24

Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. Ra

CVE-2025-41249 HIGH
7.5 Sep 16

The Spring Framework annotation detection mechanism may not correctly resolve annotations on methods within type hierarc

CVE-2025-41248 HIGH
7.5 Sep 16

The Spring Security annotation detection mechanism may not correctly resolve annotations on methods within type hierarch

CVE-2025-8525 MEDIUM POC
5.5 Aug 04

A vulnerability was found in Exrick xboot up to 3.3.4. Rated medium severity (CVSS 5.5), this vulnerability is remotely

Vendor StatusVendor

Share

CVE-2026-2817 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy