Arbitrary File Read Vulnerability in IBM Aspera High-Speed Transfer Products
CVE-2026-9035

6.5MEDIUM

Key Information:

Vendor: IBM
Status: Aspera High-speed Transfer Endpoint; Aspera High-speed Transfer Server
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-9035?

IBM Aspera High-Speed Transfer Endpoint and Server versions from 3.7.4 to 4.4.7 Fix Pack 1 have a security issue within the asperahttpd component. This vulnerability could allow authenticated users to exploit the system and gain unauthorized access to sensitive files located within the server's local storage. Users are advised to update their systems promptly to mitigate potential risks.

Affected Version(s)

Aspera High-Speed Transfer Endpoint 3.7.4 <= 4.4.7 Fix Pack 1

Aspera High-Speed Transfer Server 3.7.4 <= 4.4.7 Fix Pack 1

References

https://www.ibm.com/support/pages/node/7273615

vendor-advisorypatch

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 19, 2026

Credit

The vulnerabilities were reported to IBM by Yannik Marchand.

CVE-2026-9035 Data

JSON