CVE-2026-2817

Source
https://cve.org/CVERecord?id=CVE-2026-2817
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2817.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-2817
Published
2026-02-19T17:18:09.839Z
Modified
2026-07-15T01:48:57.434147465Z
Severity
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Spring Data Geode Insecure Temporary Directory Usage
Details

Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of cache data.

Database specific
{
    "cna_assigner": "HeroDevs",
    "cwe_ids": [
        "CWE-378",
        "CWE-379",
        "CWE-538"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/2xxx/CVE-2026-2817.json"
}
References

Affected packages

Git / github.com/spring-attic/spring-data-gemfire

Affected ranges

Type
GIT
Repo
https://github.com/spring-attic/spring-data-gemfire
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "1.7.0.RELEASE"
        },
        {
            "last_affected": "2.2.13.RELEASE"
        }
    ]
}

Affected versions

1.*
1.7.0.RELEASE
1.8.0.M1
1.8.0.RC1
1.8.0.RELEASE
1.9.0.M1
2.*
2.0.0.M1
2.0.0.M2
2.0.0.M3
2.0.0.M4
2.0.0.RC1
2.0.0.RC2
2.0.0.RC3
2.0.0.RELEASE
2.1.0.M1
2.1.0.M2
2.1.0.M3
2.1.0.RC1
2.1.0.RC2
2.1.0.RELEASE
2.2.0.M1
2.2.0.M2
2.2.0.M3
2.2.0.M4
2.2.0.RC1
2.2.0.RC2
2.2.0.RC3
2.2.0.RELEASE
2.2.1.RELEASE
2.2.10.RELEASE
2.2.11.RELEASE
2.2.12.RELEASE
2.2.13.RELEASE
2.2.2.RELEASE
2.2.3.RELEASE
2.2.4.RELEASE
2.2.5.RELEASE
2.2.6.RELEASE
2.2.7.RELEASE
2.2.8.RELEASE
2.2.9.RELEASE

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2817.json"

Git / github.com/spring-attic/spring-data-geode

Affected ranges

Type
GIT
Repo
https://github.com/spring-attic/spring-data-geode
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "2.0.0.RELEASE"
        },
        {
            "last_affected": "2.7.18"
        }
    ]
}

Affected versions

2.*
2.0.0.RELEASE
2.1.0.M1
2.1.0.M2
2.1.0.M3
2.1.0.RC1
2.1.0.RC2
2.1.0.RELEASE
2.2.0.M1
2.2.0.M2
2.2.0.M3
2.2.0.M4
2.2.0.RC1
2.2.0.RC2
2.2.0.RC3
2.2.0.RELEASE
2.3.0.M1
2.3.0.M2
2.3.0.M3
2.3.0.M4
2.3.0.RC1
2.3.0.RC2
2.3.0.RELEASE
2.4.0
2.4.0-M1
2.4.0-M2
2.4.0-RC1
2.4.0-RC2
2.5.0
2.5.0-M1
2.5.0-M2
2.5.0-M3
2.5.0-M4
2.5.0-M5
2.5.0-RC1
2.6.0
2.6.0-M1
2.6.0-M2
2.6.0-M3
2.6.0-RC1
2.7.0
2.7.0-M1
2.7.0-M2
2.7.0-M3
2.7.0-M4
2.7.0-RC1
2.7.1
2.7.10
2.7.11
2.7.12
2.7.13
2.7.14
2.7.15
2.7.16
2.7.17
2.7.18
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2817.json"