CVE-2026-2817 MEDIUM

CVE-2026-2817: Spring Data Geode Insecure Temporary Directory Usage

Vendor Vmware
Product Spring Data Geode
Weakness CWE-538
Published February 19, 2026
Last update February 20, 2026

CVSS base score

4.4/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of cache data.

Key dates

02Disclosure timeline

February 19, 2026 CVE published
February 20, 2026 Record updated