CVE-2026-9035 Overview
CVE-2026-9035 is an arbitrary file read vulnerability in the asperahttpd component of IBM Aspera High-Speed Transfer Endpoint and IBM Aspera High-Speed Transfer Server. Affected versions span 3.7.4 through 4.4.7 Fix Pack 1. An authenticated user can leverage the flaw to read files in the server's local storage that should remain inaccessible. The weakness is classified as a path traversal issue [CWE-22], allowing attackers to bypass intended directory boundaries through crafted requests.
Critical Impact
Authenticated attackers can read sensitive files outside their authorized scope, exposing configuration data, credentials, and proprietary content stored on the Aspera transfer server.
Affected Products
- IBM Aspera High-Speed Transfer Endpoint 3.7.4 through 4.4.7 Fix Pack 1
- IBM Aspera High-Speed Transfer Server 3.7.4 through 4.4.7 Fix Pack 1
- asperahttpd component shared across affected Aspera builds
Discovery Timeline
- 2026-05-27 - CVE-2026-9035 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-9035
Vulnerability Analysis
The vulnerability resides in asperahttpd, the HTTP daemon that handles fallback and web-based file transfer operations within IBM Aspera High-Speed Transfer products. The component fails to properly canonicalize and validate file paths supplied through authenticated requests. An attacker holding valid credentials can submit crafted path inputs that traverse outside their authorized directory scope. The result is unauthorized read access to files stored on the host system. Because Aspera deployments often host high-value media, financial, or regulated content, the exposure extends beyond typical configuration disclosure.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The asperahttpd request handler accepts path components without enforcing strict normalization against the user's allowed root. Sequences that resolve to parent directories are processed as valid file references. This allows resolution to arbitrary locations on the underlying filesystem within the privilege boundary of the asperahttpd process.
Attack Vector
The attack is network-based and requires low-privilege authentication. No user interaction is needed and complexity is low. An authenticated user issues a request to asperahttpd referencing a file path outside their authorized storage area. The server returns file contents that the user is not entitled to read. Confidentiality impact is high while integrity and availability remain unaffected, consistent with a read-only disclosure primitive.
No verified public proof-of-concept code is available. See the IBM Support Page for vendor technical details.
Detection Methods for CVE-2026-9035
Indicators of Compromise
- HTTP requests to asperahttpd endpoints containing path traversal sequences such as ../, encoded variants (%2e%2e%2f), or absolute path references
- Authenticated sessions accessing files outside the user's provisioned transfer directories
- Unexpected read access patterns in Aspera transfer logs targeting system files such as /etc/passwd, configuration files, or token stores
Detection Strategies
- Inspect asperahttpd access logs for requests that include directory traversal patterns or unusual file path arguments
- Correlate authenticated user identifiers with file access events that fall outside their assigned docroot configuration
- Baseline normal file access volume per Aspera account and alert on deviations indicating enumeration activity
Monitoring Recommendations
- Forward Aspera HTTP and transfer logs to a centralized SIEM for retention and correlation
- Enable verbose request logging on asperahttpd to capture full request URIs and resolved file paths
- Monitor file system access on the Aspera host for reads originating from the asperahttpd process targeting non-transfer directories
How to Mitigate CVE-2026-9035
Immediate Actions Required
- Apply the IBM-provided fix referenced in the IBM Support Page for CVE-2026-9035
- Audit all Aspera user accounts and revoke credentials that are no longer required or that exhibit excessive privileges
- Review docroot configurations to ensure each account is constrained to a minimal, dedicated directory
Patch Information
IBM has published remediation guidance for affected versions of IBM Aspera High-Speed Transfer Endpoint and Server 3.7.4 through 4.4.7 Fix Pack 1. Administrators should consult the IBM Support Page for the fixed release versions and upgrade instructions.
Workarounds
- Restrict network access to asperahttpd listening ports to trusted source addresses using firewall rules
- Enforce strict per-user docroot confinement and disable shared transfer directories where feasible
- Rotate credentials and enable multi-factor authentication on identity providers fronting Aspera access to limit unauthorized account use
# Configuration example: restrict Aspera user to a confined docroot
asconfigurator -x "set_user_data;user_name,transferuser;absolute,/var/aspera/transferuser"
asconfigurator -x "set_user_data;user_name,transferuser;read_allowed,true;write_allowed,false"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
