ZeroPath at Black Hat USA 2026

Spring Integration CVE-2026-40987: Path Traversal via Malicious Remote File Server — Quick Look

A brief summary of CVE-2026-40987, a high severity path traversal vulnerability in Spring Integration's remote file synchronizer that allows a malicious or compromised FTP, SFTP, or SMB server to write arbitrary files anywhere on the client filesystem.

CVE Analysis

9 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-11

Spring Integration CVE-2026-40987: Path Traversal via Malicious Remote File Server — Quick Look
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A missing filename canonicalization step in Spring Integration's remote file synchronizer allows a malicious or compromised FTP, SFTP, or SMB server to write files with attacker controlled content to arbitrary locations on the client filesystem, well outside the intended download directory. With five concurrent release lines affected (spanning versions 5.5.0 through 7.0.4) and Spring trusted by over half of Fortune 500 companies, CVE-2026-40987 represents a significant exposure for enterprise Java environments that rely on automated file synchronization workflows.

Spring Integration is an open source framework for enterprise application integration that implements the well known Enterprise Integration Patterns (EIPs) within the Spring ecosystem. It provides protocol specific adapters for FTP, SFTP, SMB, and other integration protocols, and is widely used in Java enterprise environments for asynchronous messaging, data transformation, and remote file processing.

Technical Information

Root Cause: Missing Filename Canonicalization

CVE-2026-40987 is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory. The vulnerable component is the InboundFileSynchronizer, which is responsible for synchronizing files from remote FTP, SFTP, or SMB servers to a locally configured localDirectory.

When the synchronizer polls a remote server for new files, it accepts the filename supplied by that server and writes the file under localDirectory without resolving the pathname to its absolute, normalized form. Canonicalization is the process that would reveal whether a server supplied filename contains traversal sequences like ../ that escape the intended directory boundary. Because this step is absent, the synchronizer trusts the remote filename implicitly.

Per the MITRE CWE definition, CWE-22 occurs "when software constructs a pathname from external input without properly neutralizing special elements," allowing attackers to escape the intended restricted directory using elements such as ".." and "/" separators. Here, the external input is the filename provided by the remote server during the file transfer protocol exchange.

CVSS Vector Analysis

The CVSS v3.1 vector is AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L, yielding a score of 7.1 (HIGH).

Several elements deserve attention:

Changed Scope (S:C): The vulnerability in the Spring Integration synchronizer component impacts resources beyond its own security authority. The integrity violation is not confined to the application's data directory but extends to any writable location on the host filesystem.

High Integrity Impact (I:H): Arbitrary file writes with attacker controlled content can overwrite critical system or application files. Depending on the host's configuration and the application's filesystem permissions, an attacker could target SSH authorized_keys files, cron job configurations, application properties, or executable binaries, potentially achieving remote code execution or persistent backdoor access.

High Attack Complexity (AC:H) and User Interaction Required (UI:R): The attacker must either control or compromise the remote server, and the Spring Integration application must initiate a synchronization cycle. However, many production deployments use automated polling schedules, meaning the "user interaction" may occur without any human action once the polling interval triggers.

Exploitation Scenarios

Scenario 1: Malicious Server. An attacker sets up a rogue FTP, SFTP, or SMB server and causes the Spring Integration application to connect to it through misconfiguration, DNS hijacking, or social engineering. When the InboundFileSynchronizer polls this server, the server responds with filenames containing path traversal sequences (for example, ../../../etc/cron.d/malicious_job). The synchronizer writes the file to the traversed path rather than confining it to localDirectory.

Scenario 2: Compromised Legitimate Server. A legitimate remote server that the application already trusts is compromised by an attacker. The attacker modifies the filenames of files hosted on that server to include traversal sequences. The next synchronization cycle downloads the files to unintended locations on the client filesystem. This scenario aligns with supply chain attack patterns where trust in a legitimate upstream source is weaponized.

Both scenarios affect all three protocol adapters (FTP, SFTP, and SMB) because they share the same underlying InboundFileSynchronizer logic, expanding the attack surface across different file transfer protocols commonly used in enterprise integration workflows.

Impact Escalation

The ability to write arbitrary files with attacker controlled content is a well understood escalation primitive. Depending on the host environment and the privileges under which the Spring Integration application runs, an attacker could:

  • Overwrite SSH authorized_keys to gain persistent remote access
  • Plant cron jobs or systemd service files for scheduled code execution
  • Replace application configuration files to redirect data flows or inject credentials
  • Overwrite executable binaries or libraries loaded by other processes

Affected Systems and Versions

Five concurrent Spring Integration release lines are affected:

Release LineAffected RangeOpen Source FixEnterprise Fix (Tanzu Spring)
7.0.x7.0.0 through 7.0.47.0.57.0.4.1
6.5.x6.5.0 through 6.5.86.5.96.5.8.1
6.4.x6.4.0 through 6.4.11Not listed6.4.12
6.3.x6.3.0 through 6.3.14Not listed6.3.15
5.5.x5.5.0 through 5.5.20Not listed5.5.21

A notable gap exists for organizations running the 6.4.x, 6.3.x, and 5.5.x lines: open source patches are only available for the two most recent release lines (7.0.x and 6.5.x). Organizations on older versions must hold a Tanzu Spring enterprise subscription to receive patches, which creates a risk disparity where potentially more entrenched deployments face a longer exposure window.

Any application using the FTP Inbound Channel Adapter, SFTP Inbound Channel Adapter, or SMB Inbound Channel Adapter with the InboundFileSynchronizer is vulnerable if it connects to a server that could be malicious or compromised.

Vendor Security History

CVE-2026-40987 arrives during an unprecedented period of security activity in the Spring ecosystem. Broadcom reported a 1700% surge in monthly security advisories submitted by the Spring community between March and April 2026, attributed partly to the increasing use of AI to discover software flaws. This prompted what Broadcom described as the largest set of security updates in Spring's 23 year history.

Other notable Spring advisories published alongside or near CVE-2026-40987 include:

CVE IDComponentSeverityDescription
CVE-2026-40988Spring SAML 2.0MEDIUMUnbounded DEFLATE inflation in SAML 2.0 SP
CVE-2026-40993Spring SAML 2.0MEDIUMUnfiltered Java native deserialization
CVE-2026-22732Spring SecurityVariousAuthorization bypass via caching mechanisms
CVE-2026-22750SpringVariousSSL bundle configuration silently bypassed

The vulnerability was discovered and responsibly disclosed by three external researchers: M0untainShley, SharlongWen, and daehyuh. The advisory was coordinated through the VMware security team ([email protected], now under Broadcom) and published on June 10, 2026, with the NVD entry following on June 11, 2026.

Broadcom has responded to the broader advisory surge by investing in day zero CVE only patches for enterprise customers, over 100,000 validated dependency builds secured to SLSA Level 3 standard, and AI assisted scanning tools integrated into the application lifecycle.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization