CVE-2026-9035
Description
IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1 and IBM Aspera High-Speed Transfer Endpoint are affected by a potential arbitrary file read in the asperahttpd component. An authenticated user may be able to take advantage of this vulnerability to access files in the server’s local storage that they should not have access to.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
IBM Aspera High-Speed Transfer Endpoint and Server are vulnerable to a path traversal attack allowing authenticated users to read arbitrary files.
Vulnerability
IBM Aspera High-Speed Transfer Endpoint and Server versions 3.7.4 through 4.4.7 Fix Pack 1 contain a path traversal vulnerability (CWE-22) in the asperahttpd component. An authenticated user can exploit this to read files outside the intended directory [1].
Exploitation
An authenticated user can send crafted HTTP requests with path traversal sequences (e.g., ../) to the asperahttpd component, bypassing directory restrictions and accessing arbitrary files on the server's local storage [1].
Impact
Successful exploitation allows an attacker to read sensitive files on the server, leading to high confidentiality impact. The CVSS vector indicates no impact on integrity or availability [1].
Mitigation
IBM has addressed this vulnerability in version 4.4.7 Fix Pack 2. Users should upgrade to this or later versions. No workarounds are documented [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: >=3.7.4, <=4.4.7 FP1
- Range: >=3.7.4, <=4.4.7 FP1
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.