Description
A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content.

Affected versions:
Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.
Published: 2026-06-11
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a malicious or compromised FTP, SFTP, or SMB server to cause Spring Integration's remote-file synchronizer to write files under a specified local directory using a filename supplied by the server. Because the filename is not canonicalized, an attacker can manipulate the path to write arbitrary files outside the intended directory, potentially overwriting critical system files or placing malicious code on the client machine, which can enable remote code execution or privilege escalation.

Affected Systems

Spring Integration versions 7.0.0 through 7.0.4, 6.5.0 through 6.5.8, 6.4.0 through 6.4.11, 6.3.0 through 6.3.14, and 5.5.0 through 5.5.20 are affected. The flaw is triggered when the remote-file synchronizer component is used with an insecure remote server.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score is not available, so the current likelihood of exploitation is unknown, but the widespread affected versions and the ability to exploit the flaw whenever the synchronizer connects to an attacker‑controlled server raise concern. The issue is not listed in the CISA KEV catalog, yet the potential for remote code execution warrants monitoring and rapid remediation.

Generated by OpenCVE AI on June 11, 2026 at 07:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Integration to a version that contains the fix – for example, 7.0.5 or newer, or any later release that excludes the affected 6.x and 5.5 series.
  • If an immediate upgrade is not viable, place the application behind a network firewall or other filtering device that blocks unauthorized FTP, SFTP, or SMB traffic, and restrict the synchronizer to trusted servers only.
  • Ensure the localDirectory parameter is configured to a fully canonicalized, non‑relative path and consider implementing additional client‑side validation to reject any filename that resolves outside this directory.

Generated by OpenCVE AI on June 11, 2026 at 07:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-40987 cve-icon cve-icon
History

Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Integration
Vendors & Products Spring
Spring spring Integration

Thu, 11 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.
Title Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L'}

Subscriptions

Spring Spring Integration
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-11T12:46:24.043Z

Reserved: 2026-04-16T02:19:09.389Z

Link: CVE-2026-40987

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T07:16:27.053

Modified: 2026-06-11T15:21:30.653

Link: CVE-2026-40987

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:40:24Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')