Directory Permissions Vulnerability in Spring Data Geode by VMware
CVE-2026-2817

4.8MEDIUM

Key Information:

Vendor: Vmware
Status: Spring Data Geode; Spring Data Gemfire
Vendor: CVE Published:; 19 February 2026

What is CVE-2026-2817?

An insecure directory issue in VMware's Spring Data Geode allows snapshot imports to extract archives into predictable and permissive directories within the system temp location. This vulnerability can be exploited on shared hosting environments, where a local user with basic privileges gains access to another user's extracted snapshot contents, thereby exposing sensitive cache data. It is crucial to apply appropriate security measures to prevent unauthorized access to these directories.

Affected Version(s)

Spring Data Gemfire 1.7.0.RELEASE <= 2.2.13.RELEASE

Spring Data Geode 2.0.0.RELEASE <= 2.7.18

References

https://www.herodevs.com/vulnerability-directory/cve-2026...

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2026
Vulnerability Reserved
Feb 19, 2026

CVE-2026-2817 Data

JSON

Vmware

What is CVE-2026-2817?

Affected Version(s)

References

CVSS V4

Timeline