CVE-2026-2817
Received
Received - Intake
Insecure Directory Use in Spring Data Geode Enables Data Exposure
Publication date: 2026-02-19
Last updated on: 2026-02-19
Assigner: HeroDevs
Description
Description
Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of cache data.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| spring | framework | * |
| spring | data_geode | From 2.0.0 (inc) to 2.7.18 (exc) |
| spring | data_geode | From 1.7.0 (inc) to 2.2.13 (inc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-538 | The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. |
| CWE-378 | Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack. |
| CWE-379 | The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file. |
