Skip to main content

Spring Integration CVE-2026-40987

| EUVD-2026-36202 HIGH
Path Traversal (CWE-22)
2026-06-11 vmware GHSA-792x-6vq6-j8r9
Path Traversal Java
7.1
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
7.1 HIGH
AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L
vuln.today AI
7.3 HIGH

Attacker must control the remote server the client is configured to trust (PR:H, AC:H, UI:R); arbitrary file write yields high integrity and availability impact with scope change beyond the app sandbox, no direct confidentiality loss.

3.1 AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:H/UI:P/VC:N/VI:H/VA:H/SC:N/SI:L/SA:L

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 11, 2026 - 08:01 EUVD
Analysis Generated
Jun 11, 2026 - 07:03 vuln.today

DescriptionCVE.org

A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content.

Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.

Articles & Coverage 2

News 7 New Java Vulnerabilities - 7 High Severity, No Public POC Jun 12, 2026 News 7 New Java Vulnerabilities - 7 High Severity, No Public Exploits Jun 11, 2026

AnalysisAI

Path traversal in Spring Integration's FTP/SFTP/SMB inbound adapters allows a malicious or compromised remote file server to write attacker-controlled files outside the configured local directory on any client polling it, affecting versions 5.5.0-5.5.20, 6.3.0-6.3.14, 6.4.0-6.4.11, 6.5.0-6.5.8, and 7.0.0-7.0.4. The flaw inverts the usual trust model - the file-transfer client trusts the server's filename, enabling overwrite of arbitrary host files such as configuration, cron, or application JARs, which can escalate to code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Compromise or stand up hostile FTP/SFTP/SMB server
Delivery
Victim Spring Integration adapter polls server
Exploit
Server returns file with traversal filename
Install
Synchronizer writes file outside local-directory
C2
Overwrite app config or executable
Execute
Trigger reload or restart
Impact
Code execution or credential theft on client host
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerable application must use Spring Integration's FTP, SFTP, or SMB inbound channel adapter (or the underlying remote-file synchronizer) and must poll a file server that is either attacker-controlled or has been compromised - the attacker's leverage is the ability to choose remote filenames returned in directory listings or transfers. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but lean serious for organizations integrating with third-party file servers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An organization configures a Spring Integration SFTP inbound adapter to pull invoices nightly from a partner's SFTP server; the partner is compromised (or the partner is malicious from the outset) and serves a file whose remote name is '../../../../opt/app/config/application.properties' containing attacker-supplied JDBC and credential overrides. On the next poll, Spring Integration writes the file to the absolute path, and the next application restart picks up the malicious configuration, leading to credential theft or redirected traffic. …
Remediation Patch available per vendor advisory at https://spring.io/security/cve-2026-40987; upgrade to the fixed maintenance release in your branch (5.5.x, 6.3.x, 6.4.x, 6.5.x, or 7.0.x past the affected ceiling listed above) as the primary fix, since the framework must reject traversal sequences and absolute paths in remote filenames. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems running affected Spring Integration versions (5.5.0-5.5.20, 6.3.0-6.3.14, 6.4.0-6.4.11, 6.5.0-6.5.8, 7.0.0-7.0.4) and which use FTP/SFTP/SMB inbound adapters. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-41699 CRITICAL
9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
CVE-2026-47835 HIGH
8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
CVE-2026-47825 HIGH
8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH
8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al

Share

CVE-2026-40987 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy