CVE-2026-9035 IBM CVE debrief

Who should care

Organizations running IBM Aspera High-Speed Transfer Endpoint or Server versions 3.7.4 through 4.4.7 Fix Pack 1, particularly those exposing asperahttpd services to untrusted networks or with multi-tenant user environments.

Technical summary

The asperahttpd component in IBM Aspera High-Speed Transfer Endpoint 3.7.4-4.4.7 FP1 and Server 3.7.4-4.4.7 FP1 is vulnerable to path traversal (CWE-22). Authenticated attackers can read arbitrary files from server local storage. CVSS 3.1: 6.5 (Medium). Network exploitable with low complexity and low privileges required.

Defensive priority

medium

Recommended defensive actions

• Apply IBM Aspera High-Speed Transfer Endpoint or Server updates to version 4.4.7 Fix Pack 2 or later
• Restrict network access to asperahttpd services to authorized administrative hosts
• Review file system permissions to ensure least privilege access
• Monitor asperahttpd access logs for anomalous file access patterns
• Validate that web server configurations block directory traversal sequences

Evidence notes

CWE-22 (Path Traversal) identified as the root cause. CVSS 3.1 vector confirms network attack vector, low attack complexity, and low privileges required. IBM PSIRT is the authoritative source.

Official resources