CVE-2026-41863
LLM-influenced filename used unsanitized in Path.resolve before file write in Spring AI support for Anthropic Skills API
Spring AI's support for Anthropic's Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the intended target directory, including restricted directories.
Affected versions:
Spring AI: 1.1.0 through 1.1.x
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Productos afectados
Spring · Spring AI¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://spring.io/security/cve-2026-41863