Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN572
_____________________________________________________________________

DATE                : 01/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Spring AI versions prior to 1.1.7.

=====================================================================
https://spring.io/security/cve-2026-41863/
_____________________________________________________________________

CVE-2026-41863: LLM-influenced filename used unsanitized in
Path.resolve before file write in Spring AI support for
Anthropic Skills API

MEDIUM | MAY 23, 2026 | CVE-2026-41863


Description

Spring AI's support for Anthropic's Skills API used LLM-influenced
filenames unsanitized in Path.resolve before writing files to disk.
This could allow a malicious user to write files outside the intended
target directory, including restricted directories.


Affected Spring Products and Versions

Spring AI:

    1.1.0 - 1.1.x


Mitigation

Users of affected versions should upgrade to the corresponding fixed
version.

Affected version(s) 	Fix version 	Availability
1.1.x 	1.1.7 	OSS


References

        https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N&version=3.1

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================