By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2026-2818

Path Traversal
Affects
Spring Data Geode
in
Spring
No items found.
Versions
>= 2.0.0 <= 2.7.18, >= 1.7.0 <= 2.2.13
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

A zip-slip path traversal vulnerability in Spring Data for Apache Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.

This high-severity vulnerability (CVE-2026-2818) affects the snapshot import feature on Windows in multiple published versions of Spring Data for Apache Geode and Spring Data GemFire.

Details

Module Info

Vulnerability Info

This vulnerability affects the snapshot import feature of the spring-data-geode package.

The library's filename sanitization logic relies on the platform's native path separator to strip directory components from ZIP entry names. On Linux and macOS, the native separator (/) matches the ZIP specification and sanitization works correctly. On Windows, the native separator (\) does not match the forward slashes used in ZIP entries, so path traversal sequences like ../../../../ pass through undetected. An attacker who can supply a crafted archive for snapshot import can write files to arbitrary locations accessible by the application, potentially leading to code execution, data corruption, or persistence via startup scripts.

An application can be vulnerable if the following are true:

  • The application must be running on Windows
  • The victim must import an attacker-controlled ZIP or JAR archive
  • The application must have write permissions to the target paths

This issue affects multiple versions of Spring Data Geode.

Mitigation

Spring Data Geode and Spring Data GemFire have reached end-of-life and are no longer community-supported. Affected users should leverage a commercial support partner like HeroDevs for post-EOL security support through NES for Spring.

As interim workarounds:

  • Validate the integrity and origin of all snapshot archives before importing.
  • Avoid importing snapshot archives from untrusted sources.
  • Run the application with minimal filesystem permissions to limit the impact of arbitrary file writes.

Credits

  • Joe Kuhel from HeroDevs

Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2026-2817
CVE-2026-2818
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2026-2818
PROJECT Affected
Spring Data Geode
Versions Affected
>= 2.0.0 <= 2.7.18, >= 1.7.0 <= 2.2.13
NES Versions Affected
Published date
February 20, 2026
≈ Fix date
February 19, 2026
Fixed in
NES for Spring
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Path Traversal
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.