EUVD-2026-31638
GHSA-cc4m-mp48-x7qg
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Spring AI's support for Anthropic's Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the intended target directory, including restricted directories.
Affected versions: Spring AI: 1.1.0 through 1.1.x
AnalysisAI
Path traversal in Spring AI 1.1.0-1.1.x allows authenticated remote attackers to write arbitrary files outside the intended target directory by exploiting unsanitized LLM-influenced filenames in the Anthropic Skills API file-write workflow. The root cause is Spring AI passing filenames derived from LLM output directly to Path.resolve() without input sanitization, enabling directory escape via traversal sequences. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold at least low-privilege authenticated access to the application (confirmed by PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N scores 6.5 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user of an application built on Spring AI 1.1.x with the Anthropic Skills API integration active crafts an input designed to elicit a path-traversal sequence in the LLM's file-naming output - for example, prompting the model to name a file '../../etc/cron.d/backdoor'. Spring AI passes this unsanitized string to Path.resolve() within the file-write code path, resolving the traversal sequence to an absolute path outside the intended directory. … |
| Remediation | Consult the Spring security advisory at https://spring.io/security/cve-2026-41863 for the vendor-confirmed fixed version and apply the patch immediately; an exact fix version number was not included in the available intelligence data, so the advisory must be consulted directly to confirm the target upgrade version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
Share
External POC / Exploit Code
Leaving vuln.today