CVE-2026-41863 Overview
CVE-2026-41863 is a path traversal vulnerability [CWE-22] in Spring AI's integration with Anthropic's Skills API. The framework passed large language model (LLM) influenced filenames directly to Path.resolve without sanitization before writing files to disk. An authenticated attacker can craft input that causes the application to write files outside the intended target directory, including into restricted system directories. The flaw affects Spring AI versions 1.1.0 through 1.1.x.
Critical Impact
A malicious actor can manipulate LLM-controlled filenames to write arbitrary files outside the target directory, enabling overwrite of sensitive files and potential follow-on code execution.
Affected Products
- Spring AI 1.1.0 through 1.1.x
- Applications integrating Spring AI with Anthropic's Skills API
- Java services using Spring AI file-handling components for LLM outputs
Discovery Timeline
- 2026-05-25 - CVE-2026-41863 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-41863
Vulnerability Analysis
The vulnerability resides in Spring AI's handler for Anthropic's Skills API. Skills can produce files that the framework persists to disk on behalf of the calling application. The filename component of those outputs is influenced by the LLM and, by extension, by user input that reaches the model.
Spring AI passed these filenames directly to Path.resolve without normalization or validation. Path.resolve honors absolute paths and traversal sequences such as ../, so a filename containing path separators escapes the intended output directory. The result is a classic directory traversal weakness ([CWE-22]) reachable through indirect, model-mediated input.
Integrity is the primary impact. An attacker cannot directly read existing files through this flaw, but file overwrite in writable locations can corrupt application data, plant configuration files, or replace executable artifacts.
Root Cause
The root cause is missing input sanitization on filenames returned through the Skills API workflow. The code assumed model-influenced filenames were safe relative identifiers. It did not verify that the resolved path stayed within the configured target directory, nor did it reject absolute paths or .. segments.
Attack Vector
The attack vector is network-based and requires low privileges. An authenticated user submits a prompt or request that causes the Anthropic Skill to return a file whose name contains traversal sequences or an absolute path. Spring AI resolves and writes that file, placing attacker-controlled content at the chosen location. No user interaction beyond the initial request is required.
The vulnerability is described in prose only; refer to the Spring Security Advisory for CVE-2026-41863 for vendor-confirmed technical details.
Detection Methods for CVE-2026-41863
Indicators of Compromise
- Files created outside the configured Spring AI working directory, particularly under system paths such as /etc, /var, or application binary locations.
- Application log entries showing Path.resolve operations on filenames containing .., /, or \ characters.
- Unexpected modifications to configuration files, startup scripts, or static web assets shortly after Anthropic Skills API calls.
Detection Strategies
- Audit Spring AI dependency versions across build manifests and identify any deployment running 1.1.0 through 1.1.x.
- Inspect application logs for file write operations triggered by Skills API responses and correlate target paths against the expected output directory.
- Add filesystem integrity monitoring on directories that host Spring AI deployments and adjacent sensitive paths.
Monitoring Recommendations
- Alert on process file writes where the destination path is outside an allow-listed output directory for the Spring AI service account.
- Capture and review LLM prompt and response payloads for filename fields containing path separators or absolute path prefixes.
- Track outbound traffic to the Anthropic API alongside subsequent filesystem activity to establish a baseline for anomaly detection.
How to Mitigate CVE-2026-41863
Immediate Actions Required
- Upgrade Spring AI to a fixed release as identified in the Spring Security Advisory for CVE-2026-41863.
- Restrict the operating system permissions of the service account running Spring AI so it cannot write outside its working directory.
- Review recent Skills API activity for filenames containing .., forward slashes, backslashes, or drive letters.
Patch Information
Spring has published a security advisory for CVE-2026-41863. Consult the Spring Security Advisory for CVE-2026-41863 for the patched version range and upgrade guidance. Apply the fixed release in development, staging, and production environments and rebuild any container images that bundle Spring AI.
Workarounds
- Wrap or override the Skills API file-writing component to validate that the resolved path is a child of the intended output directory before writing.
- Sanitize filenames returned from the LLM by stripping path separators and rejecting absolute paths or .. sequences.
- Run the Spring AI process in a sandbox or container with a read-only root filesystem and a single writable mount point for legitimate output.
# Configuration example
# Verify Spring AI version in a Maven project before and after patching
mvn dependency:tree | grep spring-ai
# Run the service under a dedicated, least-privileged user with a restricted writable directory
useradd -r -s /usr/sbin/nologin springai
install -d -o springai -g springai -m 0750 /var/lib/springai/skills-output
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
