CVE-2026-22738: In Spring AI [PoC]

Overview

A critical security vulnerability has been identified in the Spring AI framework. Tracked as CVE-2026-22738, this flaw is a SpEL (Spring Expression Language) injection vulnerability within the SimpleVectorStore component. If exploited, it could allow a malicious actor to execute arbitrary code on the affected server.

Vulnerability Details

In simple terms, this vulnerability exists when an application using Spring AI’s SimpleVectorStore passes user-supplied data directly as a filter expression key. The system fails to properly sanitize this input, allowing an attacker to inject malicious SpEL expressions. SpEL is a powerful expression language; injecting into it is akin to giving an attacker the ability to run their own commands within your application’s context.

The vulnerability is specific to applications that use the SimpleVectorStore and incorporate untrusted user input into filter expressions. It affects Spring AI versions from 1.0.0 before 1.0.5, and from 1.1.0 before 1.1.4.

Impact

The impact of this vulnerability is severe (CVSS Score: 9.8 - CRITICAL). Successful exploitation could lead to:

• Arbitrary Code Execution: An attacker could run any code they choose on the server hosting the vulnerable Spring AI application.
• Complete System Compromise: This could result in data theft, deployment of ransomware, or use of the server as a foothold for further attacks within your network.
• Data Breach: Sensitive information processed or stored by the AI application could be exfiltrated. For context on the real-world impact of such events, you can review historical incidents in our breach reports.

Remediation and Mitigation

The primary and most effective action is to update the Spring AI dependency immediately.

1. Immediate Patching:

• If you are using any version from 1.0.0 to 1.0.4, upgrade to version 1.0.5 or later.
• If you are using any version from 1.1.0 to 1.1.3, upgrade to version 1.1.4 or later. Update your project’s dependencies (e.g., in pom.xml for Maven or build.gradle for Gradle) to the patched version and redeploy your application.

2. Interim Mitigation (If Patching is Delayed): If an immediate update is not possible, rigorously validate and sanitize all user input before it is passed to the SimpleVectorStore as a filter expression key. Treat all such input as untrusted. However, patching is the only complete solution.

3. Verification: After patching, audit your application to ensure no code paths allow unsanitized user input to reach the SimpleVectorStore filter parameter.

For ongoing updates on critical vulnerabilities like this one, follow our security news feed. Organizations using affected versions should treat this patch as a high-priority action to prevent potential system compromise.