CVE-2026-40987 HIGH

CVE-2026-40987: Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization

Vendor Spring
Product Spring Integration
Weakness CWE-22 · Path traversal
Published June 11, 2026
Last update June 11, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L

What the vulnerability does

01Description

A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.

Key dates

02Disclosure timeline

June 11, 2026 CVE published
June 11, 2026 Record updated

Related vulnerabilities

04Related CVE