CWE-377
Insecure Temporary File
ClassIncomplete
Description
Creating and using insecure temporary files can leave application and system data vulnerable to attack.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-149 · CAPEC-155
CVEs mapped to this weakness (17)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2015-5224 | Cri | 0.64 | 9.8 | 0.04 | Aug 23, 2017 | The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks. | |
| CVE-2025-67223 | Hig | 0.49 | 7.5 | 0.00 | Apr 28, 2026 | The Aranda File Server (AFS) component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls to download sensitive documents containing PII. | |
| CVE-2026-20649 | Hig | 0.49 | 7.5 | 0.00 | Feb 11, 2026 | A logging issue was addressed with improved data redaction. This issue is fixed in iOS 26.3 and iPadOS 26.3, macOS Tahoe 26.3, tvOS 26.3, watchOS 26.3. A user may be able to view sensitive user information. | |
| CVE-2024-49506 | Hig | 0.47 | — | 0.00 | Nov 13, 2024 | Insecure creation of temporary files allows local users on systems with non-default configurations to cause denial of service or set the encryption key for a filesystem | |
| CVE-2026-40973 | Hig | 0.46 | 7.0 | 0.00 | Apr 28, 2026 | A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory. | |
| CVE-2026-20204 | Hig | 0.46 | 7.1 | 0.00 | Apr 15, 2026 | In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory. | |
| CVE-2026-4822 | Hig | 0.46 | 7.0 | 0.00 | Mar 25, 2026 | A vulnerability was detected in Enter Software Iperius Backup up to 8.7.3. Affected is an unknown function of the file C:\ProgramData\IperiusBackup\Jobs\ of the component Backup Service. Performing a manipulation results in creation of temporary file with insecure permissions. The attack is only possible with local access. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit is now public and may be used. Upgrading to version 8.7.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product. | |
| CVE-2026-25701 | Hig | 0.46 | — | 0.00 | Feb 25, 2026 | An Insecure Temporary File vulnerability in openSUSE sdbootutil allows local users to pre-create a directory to achieve various effects like: * gain access to possible private information found in /var/lib/pcrlock.d * manipulate the data backed up in /tmp/pcrlock.d.bak, therefore violating the integrity of the data should it be restored. * overwrite protected system files with data from /var/lib/pcrlock.d by placing symlinks to existing files in the directory tree in /tmp/pcrlock.d.bak. This issue affects sdbootutil: from ? before 5880246d3a02642dc68f5c8cb474bf63cdb56bca. | |
| CVE-2025-61659 | Med | 0.44 | 6.8 | 0.00 | Sep 29, 2025 | bash-git-prompt 2.6.1 through 2.7.1 insecurely uses the /tmp/git-index-private$$ file, which has a predictable name. | |
| CVE-2024-6654 | Med | 0.44 | — | 0.00 | Sep 27, 2024 | Products for macOS enables a user logged on to the system to perform a denial-of-service attack, which could be misused to disable the protection of the ESET security product and cause general system slow-down. | |
| CVE-2017-7549 | Med | 0.42 | 6.4 | 0.00 | Sep 21, 2017 | A flaw was found in instack-undercloud 7.2.0 as packaged in Red Hat OpenStack Platform Pike, 6.1.0 as packaged in Red Hat OpenStack Platform Oacta, 5.3.0 as packaged in Red Hat OpenStack Newton, where pre-install and security policy scripts used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. | |
| CVE-2026-40979 | Med | 0.40 | 6.1 | 0.00 | Apr 28, 2026 | In Spring AI, having access to a shared environment can expose the ONNX model used by the application. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5) | |
| CVE-2024-23287 | Med | 0.36 | 5.5 | 0.00 | Mar 8, 2024 | A privacy issue was addressed with improved handling of temporary files. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4, watchOS 10.4. An app may be able to access user-sensitive data. | |
| CVE-2017-7560 | Med | 0.36 | 5.5 | 0.00 | Sep 13, 2017 | It was found that rhnsd PID files are created as world-writable that allows local attackers to fill the disks or to kill selected processes. | |
| CVE-2024-34490 | Med | 0.33 | 5.1 | 0.00 | May 5, 2024 | In Maxima through 5.47.0 before 51704c, the plotting facilities make use of predictable names under /tmp. Thus, the contents may be controlled by a local attacker who can create files in advance with these names. This affects, for example, plot2d. | |
| CVE-2025-9474 | Med | 0.29 | 4.5 | 0.00 | Aug 26, 2025 | A vulnerability was detected in Mihomo Party up to 1.8.1 on macOS. Affected is the function enableSysProxy of the file src/main/sys/sysproxy.ts of the component Socket Handler. The manipulation results in creation of temporary file with insecure permissions. The attack requires a local approach. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit is now public and may be used. | |
| CVE-2026-35342 | Low | 0.14 | 3.3 | 0.00 | Apr 22, 2026 | The mktemp utility in uutils coreutils fails to properly handle an empty TMPDIR environment variable. Unlike GNU mktemp, which falls back to /tmp when TMPDIR is an empty string, the uutils implementation treats the empty string as a valid path. This causes temporary files to be created in the current working directory (CWD) instead of the intended secure temporary directory. If the CWD is more permissive or accessible to other users than /tmp, it may lead to unintended information disclosure or unauthorized access to temporary data. |