Introduction
A missing filename canonicalization step in Spring Integration's remote file synchronizer allows a malicious or compromised FTP, SFTP, or SMB server to write files with attacker controlled content to arbitrary locations on the client filesystem, well outside the intended download directory. With five concurrent release lines affected (spanning versions 5.5.0 through 7.0.4) and Spring trusted by over half of Fortune 500 companies, CVE-2026-40987 represents a significant exposure for enterprise Java environments that rely on automated file synchronization workflows.
Spring Integration is an open source framework for enterprise application integration that implements the well known Enterprise Integration Patterns (EIPs) within the Spring ecosystem. It provides protocol specific adapters for FTP, SFTP, SMB, and other integration protocols, and is widely used in Java enterprise environments for asynchronous messaging, data transformation, and remote file processing.
Technical Information
Root Cause: Missing Filename Canonicalization
CVE-2026-40987 is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory. The vulnerable component is the InboundFileSynchronizer, which is responsible for synchronizing files from remote FTP, SFTP, or SMB servers to a locally configured localDirectory.
When the synchronizer polls a remote server for new files, it accepts the filename supplied by that server and writes the file under localDirectory without resolving the pathname to its absolute, normalized form. Canonicalization is the process that would reveal whether a server supplied filename contains traversal sequences like ../ that escape the intended directory boundary. Because this step is absent, the synchronizer trusts the remote filename implicitly.
Per the MITRE CWE definition, CWE-22 occurs "when software constructs a pathname from external input without properly neutralizing special elements," allowing attackers to escape the intended restricted directory using elements such as ".." and "/" separators. Here, the external input is the filename provided by the remote server during the file transfer protocol exchange.
CVSS Vector Analysis
The CVSS v3.1 vector is AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L, yielding a score of 7.1 (HIGH).
Several elements deserve attention:
Changed Scope (S:C): The vulnerability in the Spring Integration synchronizer component impacts resources beyond its own security authority. The integrity violation is not confined to the application's data directory but extends to any writable location on the host filesystem.
High Integrity Impact (I:H): Arbitrary file writes with attacker controlled content can overwrite critical system or application files. Depending on the host's configuration and the application's filesystem permissions, an attacker could target SSH authorized_keys files, cron job configurations, application properties, or executable binaries, potentially achieving remote code execution or persistent backdoor access.
High Attack Complexity (AC:H) and User Interaction Required (UI:R): The attacker must either control or compromise the remote server, and the Spring Integration application must initiate a synchronization cycle. However, many production deployments use automated polling schedules, meaning the "user interaction" may occur without any human action once the polling interval triggers.
Exploitation Scenarios
Scenario 1: Malicious Server. An attacker sets up a rogue FTP, SFTP, or SMB server and causes the Spring Integration application to connect to it through misconfiguration, DNS hijacking, or social engineering. When the InboundFileSynchronizer polls this server, the server responds with filenames containing path traversal sequences (for example, ../../../etc/cron.d/malicious_job). The synchronizer writes the file to the traversed path rather than confining it to localDirectory.
Scenario 2: Compromised Legitimate Server. A legitimate remote server that the application already trusts is compromised by an attacker. The attacker modifies the filenames of files hosted on that server to include traversal sequences. The next synchronization cycle downloads the files to unintended locations on the client filesystem. This scenario aligns with supply chain attack patterns where trust in a legitimate upstream source is weaponized.
Both scenarios affect all three protocol adapters (FTP, SFTP, and SMB) because they share the same underlying InboundFileSynchronizer logic, expanding the attack surface across different file transfer protocols commonly used in enterprise integration workflows.
Impact Escalation
The ability to write arbitrary files with attacker controlled content is a well understood escalation primitive. Depending on the host environment and the privileges under which the Spring Integration application runs, an attacker could:
- Overwrite SSH
authorized_keysto gain persistent remote access - Plant cron jobs or systemd service files for scheduled code execution
- Replace application configuration files to redirect data flows or inject credentials
- Overwrite executable binaries or libraries loaded by other processes
Affected Systems and Versions
Five concurrent Spring Integration release lines are affected:
| Release Line | Affected Range | Open Source Fix | Enterprise Fix (Tanzu Spring) |
|---|---|---|---|
| 7.0.x | 7.0.0 through 7.0.4 | 7.0.5 | 7.0.4.1 |
| 6.5.x | 6.5.0 through 6.5.8 | 6.5.9 | 6.5.8.1 |
| 6.4.x | 6.4.0 through 6.4.11 | Not listed | 6.4.12 |
| 6.3.x | 6.3.0 through 6.3.14 | Not listed | 6.3.15 |
| 5.5.x | 5.5.0 through 5.5.20 | Not listed | 5.5.21 |
A notable gap exists for organizations running the 6.4.x, 6.3.x, and 5.5.x lines: open source patches are only available for the two most recent release lines (7.0.x and 6.5.x). Organizations on older versions must hold a Tanzu Spring enterprise subscription to receive patches, which creates a risk disparity where potentially more entrenched deployments face a longer exposure window.
Any application using the FTP Inbound Channel Adapter, SFTP Inbound Channel Adapter, or SMB Inbound Channel Adapter with the InboundFileSynchronizer is vulnerable if it connects to a server that could be malicious or compromised.
Vendor Security History
CVE-2026-40987 arrives during an unprecedented period of security activity in the Spring ecosystem. Broadcom reported a 1700% surge in monthly security advisories submitted by the Spring community between March and April 2026, attributed partly to the increasing use of AI to discover software flaws. This prompted what Broadcom described as the largest set of security updates in Spring's 23 year history.
Other notable Spring advisories published alongside or near CVE-2026-40987 include:
| CVE ID | Component | Severity | Description |
|---|---|---|---|
| CVE-2026-40988 | Spring SAML 2.0 | MEDIUM | Unbounded DEFLATE inflation in SAML 2.0 SP |
| CVE-2026-40993 | Spring SAML 2.0 | MEDIUM | Unfiltered Java native deserialization |
| CVE-2026-22732 | Spring Security | Various | Authorization bypass via caching mechanisms |
| CVE-2026-22750 | Spring | Various | SSL bundle configuration silently bypassed |
The vulnerability was discovered and responsibly disclosed by three external researchers: M0untainShley, SharlongWen, and daehyuh. The advisory was coordinated through the VMware security team ([email protected], now under Broadcom) and published on June 10, 2026, with the NVD entry following on June 11, 2026.
Broadcom has responded to the broader advisory surge by investing in day zero CVE only patches for enterprise customers, over 100,000 validated dependency builds secured to SLSA Level 3 standard, and AI assisted scanning tools integrated into the application lifecycle.
References
- NVD: CVE-2026-40987
- Spring Security Advisory: CVE-2026-40987
- Spring Security Advisories Index
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory
- InboundFileSynchronizer API Documentation (Spring Integration 7.0.4)
- FTP Inbound Channel Adapter Documentation
- SMB Support Documentation
- Broadcom Expands Its Investment in Spring and Java Ecosystem Security
- Broadcom Bolsters Spring Security with Largest Update Ever
- Spring Integration Project Page
- CISA Known Exploited Vulnerabilities Catalog
- Spring Path Traversal Guide: Examples and Prevention (StackHawk)
- spring-projects/security-advisories (GitHub)



