Remote-file synchronizer in Spring Integration writes server-supplied filename under localDirectory without canonicalization
CVE-2026-40987

7.1HIGH

Key Information:

Vendor: Spring
Status: Spring Integration
Vendor: CVE Published:; 11 June 2026

What is CVE-2026-40987?

A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content.

Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.

Affected Version(s)

Spring Integration 7.0.0 < 7.0.5

Spring Integration 6.5.0 < 6.5.9

Spring Integration 6.4.0 < 6.4.12

References

https://spring.io/security/cve-2026-40987

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-40987 Data

JSON