In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
The vulnerability (CWE-917, CWE-88) consists of SimpleVectorStore using the value supplied by the user directly as a filter expression key, without proper validation or sanitization. An attacker can craft a malicious SpEL expression that will be executed by the Spring expression engine on the server side. This leads to arbitrary code execution in the context of the application (RCE). Only applications using SimpleVectorStore and passing user input as a filter expression key are vulnerable.
A remote and unauthenticated attacker can execute arbitrary code on the server, which in practice means complete takeover of the application, data leakage, resource modification, or further actions on the internal network.
Spring AI should be updated to version 1.0.5 or newer (for the 1.0.x branch) or to version 1.1.4 or newer (for the 1.1.x branch). Additionally, it is recommended to verify whether the application passes user data as filter expression keys to SimpleVectorStore, and to implement appropriate input validation. Details available at: https://spring.io/security/cve-2026-22738
Spring AI in versions from 1.0.0 to 1.0.4 (before 1.0.5) and from 1.1.0 to 1.1.3 (before 1.1.4). It affects only applications using the SimpleVectorStore component with user data passed as a filter expression key.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HVMware Spring Ai
APPVmware1.0.0 – 1.0.5 (bez)1.1.0 – 1.1.4 (bez)
Related vulnerabilities
A malicious user could craft input that is stored in conversation memory and later interpreted by the model in...
Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could ...
Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via u...
SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL que...
In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translat...