Zip-Slip Path Traversal Vulnerability in Spring Data Geode
CVE-2026-2818

8.2HIGH

Key Information:

Vendor: Vmware
Status: Spring Data Geode; Spring Data Gemfire
Vendor: CVE Published:; 20 February 2026

What is CVE-2026-2818?

A zip-slip path traversal vulnerability has been identified in the import snapshot functionality of Spring Data Geode. This issue could allow attackers to manipulate file paths to write files outside the designated extraction directory, leading to potential unauthorized file access and manipulation. It is important to note that this vulnerability is specific to the Windows operating system, which could expose users to greater risks if not properly mitigated.

Affected Version(s)

Spring Data Gemfire 1.7.0.RELEASE <= 2.2.13.RELEASE

Spring Data Geode 2.0.0.RELEASE <= 2.7.18

References

https://www.herodevs.com/vulnerability-directory/cve-2026...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2026
Vulnerability Reserved
Feb 19, 2026

CVE-2026-2818 Data

JSON

Vmware

What is CVE-2026-2818?

Affected Version(s)

References

CVSS V3.1

Timeline