CVE-2026-9035 | THREATINT

Description

IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential arbitrary file read in the asperahttpd component. An authenticated user may be able to take advantage of this vulnerability to access files in the server’s local storage that they should not have access to.

PUBLISHED Reserved 2026-05-19 | Published 2026-05-27 | Updated 2026-05-27 | Assigner ibm

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

3.7.4 (semver)

affected

3.7.4 (semver)

affected

Credits

The vulnerabilities were reported to IBM by Yannik Marchand. finder

References

www.ibm.com/support/pages/node/7273615 vendor-advisory patch

cve.org (CVE-2026-9035)

nvd.nist.gov (CVE-2026-9035)

Download JSON