Description
A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.
Published: 2026-02-20
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write via Path Traversal
Action: Apply Patch
AI Analysis

Impact

A zip‑slip path‑traversal flaw exists in VMware's Spring Data Geode import snapshot functionality that allows a crafted snapshot file to extract files outside the intended directory on Windows. This can cause unintentionally created or overwritten files, potentially exposing sensitive application data or affecting application stability. The weakness matches the common path‑traversal categories identified by CWE‑22 and CWE‑23.

Affected Systems

The vulnerability impacts VMware Spring Data Gemfire and Spring Data Geode when they run on Windows. No explicit version range is disclosed; therefore all Windows installations using either component should be reviewed until a vendor fix is released.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity, while the EPSS score of less than 1 % suggests exploitation is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector involves an authorized user providing a crafted snapshot file to the import mechanism; the exact prerequisites are not documented, so this inference remains preliminary.

Generated by OpenCVE AI on April 18, 2026 at 11:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to the latest release of Spring Data Gemfire and Spring Data Geode that addresses the path‑traversal issue.
  • If a fix is not yet available, disable or restrict the import snapshot feature on Windows environments so that only trusted administrators can invoke it.
  • Configure the application to enforce strict extraction directory controls, validating file paths and rejecting components that resolve outside the intended directory.
  • Monitor file‑system changes and authentication logs for unexpected writes outside expected directories.

Generated by OpenCVE AI on April 18, 2026 at 11:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Data Gemfire
Vmware spring Data Geode
Vendors & Products Vmware
Vmware spring Data Gemfire
Vmware spring Data Geode

Sat, 21 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.
Title Zip Slip Path Traversal in Snapshot Archive Extraction (Windows-Specific)
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N'}

Subscriptions

Vmware Spring Data Gemfire Spring Data Geode
cve-icon MITRE

Status: PUBLISHED

Assigner: HeroDevs

Published:

Updated: 2026-02-20T20:12:35.205Z

Reserved: 2026-02-19T17:07:41.627Z

Link: CVE-2026-2818

cve-icon Vulnrichment

Updated: 2026-02-20T20:12:24.717Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T17:25:57.980

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2818

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-20T16:03:21Z

Links: CVE-2026-2818 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses