Bug 2441384 (CVE-2026-2818)

Summary: CVE-2026-2818 org.springframework.data/spring-data-geode: Spring Data Geode: Path traversal vulnerability allows arbitrary file write via import snapshot functionality.
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: gmalinko, janstey, pdelbell, rstepani
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Spring Data Geode. This zip-slip path traversal vulnerability in the import snapshot functionality allows attackers to write files outside the intended extraction directory. This can lead to unauthorized modification of system files or the introduction of malicious content. This vulnerability primarily affects systems running on Windows operating systems.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-02-20 17:03:40 UTC 
A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.