CVE-2026-2817 Description: Creation of Temporary File in Directory with Insecure Permissions Affects: Spring Data Geode in Spring Versions: - - Severity: Medium Category: Creation of Temporary File in Directory with Insecure Permissions Vulnerability Details: - Product: Spring Data Geode - Affected packages: spring-data-geode, spring-data-gemfire - Affected versions: , - GitHub repository: https://github.com/spring-projects/spring-data-geode - Published packages: https://central.sonatype.com/artifact/org.springframework.data/spring-data-geode - Package manager: Maven - Fixed in: NES for Spring Data Geode Vulnerability Info: This medium-severity vulnerability affects the snapshot import feature of the spring-data-geode package. When a ZIP or JAR archive is provided for snapshot import, the library extracts its contents to a temporary directory using a predictable name derived from the archive filename with default system permissions (typically world-readable). No cleanup of extracted files is performed after import. This enables a local user to enumerate predictable temp directory names and read sensitive Geode/GemFire cache data exported by another user on the same system. Mitigation: Set the Java temp directory -Djava.io.tmpdir to a user-private directory. Also best practice to clean up temporary snapshot directories immediately after imports. Leverage a commercial support partner like HeroDevs for post-EOL security support. Credits: Jonathan Leitschuh (@JLLeitschuh)