CVE-2026-2818
Published: 20 February 2026
Description
A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation directly addresses and patches the zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality.
Information input validation requires checking file paths from imported snapshots to block traversal outside the intended extraction directory.
Least privilege restricts the importing process's write access, limiting damage from arbitrary file writes even if path traversal occurs.
Security SummaryAI
CVE-2026-2818, published on 2026-02-20, is a zip-slip path traversal vulnerability (CWE-23) in Spring Data Geode's import snapshot functionality. It enables attackers to write files outside the intended extraction directory and is susceptible only on Windows operating systems. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N).
Remote attackers can exploit this vulnerability over the network with low attack complexity and no privileges required, though user interaction is necessary, such as inducing a victim to import a malicious snapshot. Exploitation changes the scope and allows high integrity impact through arbitrary file writes outside the extraction directory, alongside low confidentiality impact and no availability disruption.
Mitigation details are available in the advisory at https://www.herodevs.com/vulnerability-directory/cve-2026-2818.
Details
- CWE(s)