CVE-2026-40987
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk11th percentile - higher than 11% of all known CVEs
Summary
A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content.
Risk Assessment
The organization may be exposed to unauthorized data modifications and potential information leaks, which could lead to serious legal and financial consequences.
Recommendation
It is recommended to update to the latest version of Spring Integration and implement appropriate security measures on FTP/SFTP/SMB servers to mitigate attack risks.
Original NVD description (English source)
A malicious or compromised FTP/SFTP/SMB server can write arbitrary files anywhere on the client filesystem (outside the configured local-directory) with attacker-controlled content. Affected versions: Spring Integration 7.0.0 through 7.0.4; 6.5.0 through 6.5.8; 6.4.0 through 6.4.11; 6.3.0 through 6.3.14; 5.5.0 through 5.5.20.

