Spring Data Geode extracts sensitive files in predictable directories on shared hosts

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.8

Spring Data Geode extracts sensitive files in predictable directories on shared hosts

CVE-2026-2817

Summary

When using Spring Data Geode to import snapshots, sensitive files are stored in a predictable location on a shared host, making it possible for other users to access them. This could lead to exposure of confidential data. To mitigate this, ensure that only authorized users have access to the shared host and consider using a more secure directory for importing snapshots.

Original title

Original description

Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of cache data.

nvd CVSS3.1 4.4

nvd CVSS4.0 4.8

Vulnerability type

CWE-378

CWE-379

CWE-538

https://www.herodevs.com/vulnerability-directory/cve-2026-2817

Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026