{"id":"CVE-2026-2817","summary":"Spring Data Geode Insecure Temporary Directory Usage","details":"Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of cache data.","modified":"2026-07-15T01:48:57.434147465Z","published":"2026-02-19T17:18:09.839Z","database_specific":{"cna_assigner":"HeroDevs","cwe_ids":["CWE-378","CWE-379","CWE-538"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/2xxx/CVE-2026-2817.json"},"references":[{"type":"WEB","url":"https://www.herodevs.com/vulnerability-directory/cve-2026-2817"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/2xxx/CVE-2026-2817.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2817"},{"type":"PACKAGE","url":"https://github.com/spring-attic/spring-data-gemfire"},{"type":"PACKAGE","url":"https://github.com/spring-attic/spring-data-geode"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/spring-attic/spring-data-gemfire","events":[{"introduced":"88434d05a4f304f6ff6d6b03362f290e9d8011b3"},{"last_affected":"f3fbd3fa7805002b31dec4a6ea1a0cb43c9acf3e"}],"database_specific":{"extracted_events":[{"introduced":"1.7.0.RELEASE"},{"last_affected":"2.2.13.RELEASE"}],"source":"AFFECTED_FIELD"}}],"versions":["2.2.13.RELEASE","2.2.12.RELEASE","2.2.11.RELEASE","2.2.10.RELEASE","2.2.9.RELEASE","2.2.8.RELEASE","2.2.7.RELEASE","2.2.6.RELEASE","2.2.5.RELEASE","2.2.4.RELEASE","2.2.3.RELEASE","2.2.2.RELEASE","2.2.1.RELEASE","2.2.0.RELEASE","2.2.0.RC3","2.2.0.RC2","2.2.0.RC1","2.2.0.M4","2.2.0.M3","2.2.0.M2","2.2.0.M1","2.1.0.RELEASE","2.1.0.RC2","2.1.0.RC1","2.1.0.M3","2.1.0.M2","2.1.0.M1","2.0.0.RELEASE","2.0.0.RC3","2.0.0.RC2","2.0.0.RC1","2.0.0.M4","2.0.0.M3","2.0.0.M2","2.0.0.M1","1.9.0.M1","1.8.0.RELEASE","1.8.0.RC1","1.8.0.M1","1.7.0.RELEASE"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2817.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/spring-attic/spring-data-geode","events":[{"introduced":"bd51bdeba019f0dc17a0db198b7a13e94ab1a84c"},{"last_affected":"fe693f4b83eea80ef8ee5e1fd6e6f22e9531b888"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"2.0.0.RELEASE"},{"last_affected":"2.7.18"}]}}],"versions":["2.7.18","2.7.17","2.7.16","2.7.15","2.7.14","2.7.13","2.7.12","2.7.11","2.7.10","2.7.9","2.7.8","2.7.7","2.7.6","2.7.5","2.7.4","2.7.3","2.7.2","2.7.1","2.7.0","2.7.0-RC1","2.7.0-M4","2.7.0-M3","2.7.0-M2","2.7.0-M1","2.6.0","2.6.0-RC1","2.6.0-M3","2.6.0-M2","2.6.0-M1","2.5.0","2.5.0-RC1","2.5.0-M5","2.5.0-M4","2.5.0-M3","2.5.0-M2","2.5.0-M1","2.4.0","2.4.0-RC2","2.4.0-RC1","2.4.0-M2","2.4.0-M1","2.3.0.RELEASE","2.3.0.RC2","2.3.0.RC1","2.3.0.M4","2.3.0.M3","2.3.0.M2","2.3.0.M1","2.2.0.RELEASE","2.2.0.RC3","2.2.0.RC2","2.2.0.RC1","2.2.0.M4","2.2.0.M3","2.2.0.M2","2.2.0.M1","2.1.0.RELEASE","2.1.0.RC2","2.1.0.RC1","2.1.0.M3","2.1.0.M2","2.1.0.M1","2.0.0.RELEASE"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2817.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"}]}