Back to all disclosures

CVE-2026-22738

Spring AI

Critical

CVSS Details

CVSS Score
9.8 CRITICAL
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness
SpEL Injection

Description

In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

View on NVD

Timeline

Discovered
March 2026
Vendor Notified
March 2026
Patch Released
March 27, 2026 (v1.0.5, v1.1.4)
Public Disclosure
March 27, 2026