Description
In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected.
This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
Published: 2026-03-27
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an expression language injection in Spring AI’s SimpleVectorStore, where an unescaped user‑supplied key is inserted directly into a SpEL filter expression. This allows an attacker to inject arbitrary Spring Expression Language code that is executed by the application, enabling full compromise of the host system. The weakness is a classic input validation failure (CWE‑917) and expression injection (CWE‑88) with severe consequences.

Affected Systems

Spring AI SimpleVectorStore versions earlier than 1.0.5 of the 1.0.x line and earlier than 1.1.4 of the 1.1.x line are vulnerable. Any deployment that uses SimpleVectorStore and passes user‑controlled values as filter keys is affected.

Risk and Exploitability

The issue carries a CVSS score of 9.8, indicating critical severity. The EPSS indicates an exploitation probability under 1 percent, and the vulnerability is not listed in the national known exploited vulnerabilities catalog, marking it as a high‑risk, yet not widely exploited threat. Based on the description, the attack vector would be remote, leveraging user input over a network or web interface to trigger the injection.

Generated by OpenCVE AI on May 10, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring AI to version 1.0.5 or newer, or to version 1.1.4 or newer.
  • If an upgrade is not possible, validate or escape all user‑supplied filter keys before passing them to SimpleVectorStore, ensuring only trusted expressions are evaluated.
  • Continuously monitor application logs for suspicious SpEL activity and maintain an incident response plan to address potential exploitation.

Generated by OpenCVE AI on May 10, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fvh3-672c-7p6c Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key
References
Link Providers
https://spring.io/security/cve-2026-22738 cve-icon cve-icon
History

Sun, 10 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-88

Fri, 17 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-90

Thu, 16 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Ai
Weaknesses CWE-917
CPEs cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*
Vendors & Products Vmware
Vmware spring Ai

Sun, 29 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-90

Sat, 28 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring
Vendors & Products Spring
Spring spring

Fri, 27 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
Title SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Spring Spring
Vmware Spring Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-05-10T13:04:38.045Z

Reserved: 2026-01-09T06:54:49.675Z

Link: CVE-2026-22738

cve-icon Vulnrichment

Updated: 2026-03-27T19:30:40.190Z

cve-icon NVD

Status : Modified

Published: 2026-03-27T06:16:37.663

Modified: 2026-05-10T14:16:48.133

Link: CVE-2026-22738

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T15:30:14Z

Weaknesses