CVE-2026-2818
Received Received - Intake
Zip-Slip Path Traversal in Spring Data Geode Import on Windows

Publication date: 2026-02-20

Last updated on: 2026-02-20

Assigner: HeroDevs

Description
A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2818
EUVD
EUVD-2026-8329
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
spring datageode *
spring datageode From 1.7.0 (inc) to 2.2.13 (inc)
spring datageode From 2.0.0 (inc) to 2.7.18 (inc)
spring datagemfire From 1.7.0 (inc) to 2.2.13 (inc)
spring datagemfire From 2.0.0 (inc) to 2.7.18 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-2818 is a high-severity zip-slip path traversal vulnerability in the snapshot import functionality of Spring Data for Apache Geode and Spring Data GemFire. The issue arises because the filename sanitization logic depends on the platform's native path separator to remove directory components from ZIP entry names."}, {'type': 'paragraph', 'content': 'On Linux and macOS, which use \'/\' as the path separator matching ZIP specifications, this sanitization works correctly. However, on Windows, the native separator is \'\\\' which does not match the forward slashes used in ZIP entries. As a result, path traversal sequences like "../../../../" in ZIP entries are not detected on Windows.'}, {'type': 'paragraph', 'content': 'This allows an attacker who supplies a crafted archive during snapshot import to write files outside the intended extraction directory, potentially leading to arbitrary file writes to locations accessible by the application.'}] [1]

Impact Analysis

This vulnerability can allow an attacker to write arbitrary files outside the intended extraction directory when importing a crafted ZIP or JAR archive on a Windows system running the affected Spring Data Geode or GemFire application.

The potential impacts include code execution, data corruption, or persistence through malicious startup scripts if the attacker can write files to locations accessible by the application.

Exploitation requires the application to be running on Windows, importing an attacker-controlled archive, and having write permissions to the target paths.

Mitigations include validating the integrity and origin of snapshot archives before import, avoiding untrusted snapshot archives, and running the application with minimal filesystem permissions to limit the impact.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability arises when importing attacker-controlled ZIP or JAR archives containing path traversal sequences that are not properly sanitized on Windows systems. Detection involves monitoring or inspecting snapshot import activities for suspicious ZIP entries with path traversal patterns such as "../../../../".'}, {'type': 'paragraph', 'content': 'Since the vulnerability is specific to Windows OS and the snapshot import functionality, you can detect potential exploitation by examining the contents of ZIP or JAR files before import for entries with directory traversal sequences.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious ZIP entries on Windows include using PowerShell or command-line tools to list archive contents and search for path traversal patterns:'}, {'type': 'list_item', 'content': 'Using PowerShell to list ZIP contents and filter for traversal sequences:\n\n```powershell\nAdd-Type -AssemblyName System.IO.Compression.FileSystem\n$zip = [System.IO.Compression.ZipFile]::OpenRead("path_to_archive.zip")\n$zip.Entries | Where-Object { $_.FullName -match \'\\.\\./|\\.\\.\\\\\' } | Select-Object FullName\n$zip.Dispose()\n```'}, {'type': 'list_item', 'content': 'Using 7-Zip command line to list archive contents and grep for traversal:\n\n```cmd\n7z l path_to_archive.zip | findstr "..\\..\\"\n```'}, {'type': 'paragraph', 'content': 'Additionally, monitoring application logs for errors or unusual file writes during snapshot import on Windows systems may help detect exploitation attempts.'}] [1]

Mitigation Strategies

Immediate mitigation steps include:

  • Validate the integrity and origin of snapshot archives before importing them to ensure they come from trusted sources.
  • Avoid importing untrusted or unauthenticated snapshot archives.
  • Run the application with minimal filesystem permissions to limit the impact of any arbitrary file writes caused by exploitation.
  • Consider upgrading to a fixed version if available, or use the commercial Never-Ending Support (NES) version offered by HeroDevs for Spring Data Geode, which includes the fix.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2818. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart