CVE Catalog

CVE-2026-22738

Critical
Published: Translated: NVD NIST

Summary

In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code.

Risk Assessment

Organizations using SimpleVectorStore and passing user-supplied input as a filter expression key are at risk of arbitrary code execution.

Recommendation

It is recommended to upgrade to Spring AI version 1.0.5 or 1.1.4 and later to mitigate this vulnerability.

Original NVD description (English source)

In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS