View all Vulnerabilities

CVE-2026-2817

Creation of Temporary File in Directory with Insecure Permissions
Affects
Spring Data Geode
in
Spring
No items found.
Versions
>= 2.0.0 < 2.7.18, >= 1.7.0 <= 2.2.13
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Data Geode and Spring Data GemFire provide Spring-based configuration and programming model support for Apache Geode and Pivotal GemFire, respectively.

An insecure temporary directory usage vulnerability (CVE-2026-2817) has been identified in Spring Data Geode/Gemfire, where archive-based snapshots are expanded to a predictable, world-readable location in the system temporary directory.

This issue affects multiple versions of Spring Data Geode.

Details

Module Info

Vulnerability Info

This medium-severity vulnerability affects the snapshot import feature of the spring-data-geode package.

When a ZIP or JAR archive is provided for snapshot import, the library extracts its contents to a temporary directory using a predictable name derived from the archive filename with default system permissions (typically world-readable). No cleanup of extracted files is performed after import. This enables a local user to enumerate predictable temp directory names and read sensitive Geode/GemFire cache data exported by another user on the same system.

Mitigation

Spring Data Geode and Spring Data GemFire have reached end-of-life and are no longer community-supported. Affected users should leverage a commercial support partner like HeroDevs for post-EOL security support through NES for Spring.

Users of the affected components should apply one of the following mitigations:

  • Set the Java temp directory -Djava.io.tmpdir to a user-private directory.
  • Also best practice to clean up temporary snapshot directories immediately after imports.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credits

  • Jonathan Leitschuh (@JLLeitschuh)

Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-2817
PROJECT Affected
Spring Data Geode
Versions Affected
>= 2.0.0 < 2.7.18, >= 1.7.0 <= 2.2.13
NES Versions Affected
Published date
February 19, 2026
≈ Fix date
February 19, 2026
Fixed in
NES for Spring
Category
Creation of Temporary File in Directory with Insecure Permissions
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.