Back to Blog

Cantina Case Study: How Apex Found a Critical RCE Bug in Spring AI

Cantina Case Study: How Apex Found a Critical RCE Bug in Spring AI

On March 26, 2026, a critical vulnerability designated as CVE-2026-22738 was disclosed in Spring AI, a popular framework for building AI applications in Java. With a maximum CVSS score of 9.8, the flaw affected the SimpleVectorStore component and presented a direct path to Remote Code Execution (RCE).

Here is a factual look at the mechanics of the vulnerability, its practical impact, and how Cantina's AI-powered application security solution, Apex, autonomously identified the threat before it could be exploited.

The Flaw: Unvalidated Input in Vector Store Filters

In AI applications, vector stores are used to manage memory and contextual data. To make data retrieval dynamic, developers often allow users to apply filters to their queries. In Spring AI applications utilizing SimpleVectorStore, user-supplied values could be passed as filter expression keys.

The vulnerability stemmed from how that input was processed. Instead of treating the input purely as a string of text, the unvalidated user input was passed directly into the Spring Expression Language (SpEL) evaluation engine. SpEL is a powerful feature that allows developers to query and manipulate an object graph at runtime.

Because the input was not properly escaped or sanitized before evaluation, the application would process malicious SpEL payloads as executable code.

The Practical Impact

Because this vulnerability required no authentication or user interaction (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), an attacker could exploit it simply by sending a standard web request with a crafted SpEL payload in the filter field.

Achieving RCE means the attacker can run arbitrary commands on the host server. In the context of an AI application, the practical consequences include:

  • Credential and API Key Exposure: AI backends heavily rely on environment variables to store highly privileged API keys for LLM providers and cloud infrastructure. An attacker could command the server to output these credentials.
  • Data Manipulation: With direct access to the vector store, an attacker could silently alter embedding data, causing the AI to retrieve and serve poisoned or incorrect context to legitimate users.
  • Host Compromise: The compromised server could be used as a stepping stone to scan and attack other internal services that trust the AI backend's IP address.

How Apex Caught It

SpEL injections are notoriously difficult to detect using standard Static Application Security Testing (SAST) tools. Traditional scanners often lose track of a variable as it moves from an API endpoint, through various application layers, and finally into an expression evaluator.

This specific execution path was successfully traced and reported by Apex.

Apex is your AI-powered application security solution. It understands your codebase, identifies risks, and takes action so your team can ship with confidence.

Rather than relying on generic signatures, Apex approached the Spring AI codebase contextually:

  1. Data Flow Mapping: Apex mapped the complete journey of the user-supplied string, tracking the input from its external entry point down into the SimpleVectorStore.
  2. Contextual Validation: It recognized that the data was entering the SpEL evaluator without a preceding sanitization step.
  3. Autonomous Action: Upon verifying that the path was genuinely exploitable, Apex flagged it as a critical RCE risk and autonomously generated the code patch required to secure the input.

The Resolution

To mitigate CVE-2026-22738, organizations using Spring AI should immediately upgrade to the patched versions: 1.0.5 or 1.1.4. For teams unable to patch immediately, it is necessary to implement strict input validation to ensure that no unescaped strings reach the vector store filters.

Secure Your Codebase Autonomously

AI frameworks evolve rapidly, and complex vulnerabilities require deep contextual understanding to catch. Apex acts as an AI-powered safety net that understands your codebase, identifies risks without the noise of false positives, and generates the Pull Requests needed to fix them.

You ship. Apex handles the rest.

Try Apex for yourself, book a demo here.