HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-40987Published Modified CNA vmware

CVE-2026-40987: Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization

A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.

Metrics

CVSS v3.1
7.1
Severity
HIGH
Fixed in
5.5.21
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal vulnerability in Spring Integration's remote-file synchronizer (FTP, SFTP, and SMB adapters) allows a malicious or compromised remote server to write files to arbitrary locations on the client filesystem outside the configured local directory. The vulnerability is reached over the network, requires a low-privilege account, and also requires a victim to initiate or trigger a sync operation, as derived from the CVSS vector (AV:N/PR:L/UI:R). Successful exploitation gives an attacker the ability to write attacker-controlled content to arbitrary filesystem paths, with limited confidentiality and availability impact as well. Patched-image rebuilds at versions 5.5.21, 6.3.15, 6.4.12, 6.5.9, and 7.0.5 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-40987 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Spring Integration. Coverage applies to both registry scans and in-pipeline image checks at build time.

Available
Triage

HarborGuard scores this CVE at CVSS 7.1 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting the applicable fix version (5.5.21, 6.3.15, 6.4.12, 6.5.9, or 7.0.5, depending on the affected version in use) becomes available in HarborGuard once the fix is matched to the image manifest. For customers who opt into auto-remediation, HarborGuard performs a rebuild, runs a regression test pass, and opens a PR against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must operate or compromise a remote file server (FTP, SFTP, or SMB) that the client application reaches over the network.

  • AuthenticationRequired

    The attacker must hold at least a low-privilege account or position sufficient to control or impersonate the remote file server the client synchronizes against.

  • Victim interactionRequired

    A user or scheduled process must trigger a sync operation against the malicious server, making this a social-engineering or configuration-abuse vector rather than a fully autonomous one.

  • Attack complexityDetail

    Attack complexity is rated HIGH, meaning the attacker must set up or compromise the specific remote server endpoint the client trusts, rather than exploiting a purely opportunistic path.

Blast Radius

  • Writes attacker-controlled file content to arbitrary paths on the client filesystem, including outside the configured local synchronization directory.
  • Overwrites sensitive files such as application configuration, credentials, or startup scripts, enabling persistence or privilege escalation on the host.
  • Reads limited data accessible through the sync channel, providing partial disclosure of synchronized file metadata or content.
  • Disrupts application operation by corrupting or replacing files the application depends on at runtime.

How HarborGuard Handles This

Available on HarborGuard: images containing affected Spring Integration versions (5.5.0-5.5.20, 6.3.0-6.3.14, 6.4.0-6.4.11, 6.5.0-6.5.8, 7.0.0-7.0.4) are flagged automatically within minutes of the CVE entering the ingestion pipeline, covering both pre-built images pulled from external registries and custom images built internally. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the appropriate fix version, runs a regression test pass, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. Where auto-remediation is not enabled, the flagged finding is routed to the owning team for manual action. As a compensating control while a patched image is being prepared, consider applying network policy to restrict which hosts client workloads are permitted to reach over FTP, SFTP, or SMB ports, reducing the ability of a compromised server to exploit the sync path.

See how HarborGuard automates this

Fix available

5.5.216.3.156.4.126.5.97.0.5
Affected packages
  • Spring / Spring Integration
    < 7.0.5 (from 7.0.0) · < 6.5.9 (from 6.5.0) · < 6.4.12 (from 6.4.0) · < 6.3.15 (from 6.3.0) · < 5.5.21 (from 5.5.0)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L
References