Spring Integration 5.5.0-5.5.20 FTP/SFTP/SMB arbitrary file write
CVE-2026-40987 Published on June 11, 2026
Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization
A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content.
Affected versions:
Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.
Vulnerability Analysis
CVE-2026-40987 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a high impact on integrity, and a small impact on availability.
Weakness Type
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2026-40987 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2026-40987
Want to know whenever a new CVE is published for VMware Spring Framework? stack.watch will email you.
Affected Versions
Spring Integration:- Version 7.0.0 and below 7.0.5 is affected.
- Version 6.5.0 and below 6.5.9 is affected.
- Version 6.4.0 and below 6.4.12 is affected.
- Version 6.3.0 and below 6.3.15 is affected.
- Version 5.5.0 and below 5.5.21 is affected.