CVE-2026-22738
Published: 27 March 2026
Summary
CVE-2026-22738 is a critical-severity Expression Language Injection (CWE-917) vulnerability in Vmware Spring Ai. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Data-Related Vulnerabilities risk domain.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-22738 is a SpEL injection vulnerability in the SimpleVectorStore component of Spring AI. It occurs when a user-supplied value is used as a filter expression key, enabling a malicious actor to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input directly as a filter expression key are affected. The vulnerability impacts Spring AI versions from 1.0.0 before 1.0.5 and from 1.1.0 before 1.1.4, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-917.
Any remote attacker can exploit this vulnerability without authentication or user interaction by supplying a crafted filter expression key to a vulnerable application. Successful exploitation allows arbitrary code execution on the server, potentially leading to full compromise including high confidentiality, integrity, and availability impacts.
The Spring security advisory at https://spring.io/security/cve-2026-22738 details the issue and recommends upgrading to Spring AI 1.0.5 or 1.1.4, where the vulnerability is addressed.
This vulnerability is particularly relevant to AI/ML applications leveraging Spring AI's vector store functionality for tasks like semantic search or retrieval-augmented generation. No real-world exploitation has been reported as of the CVE publication on 2026-03-27.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16535
Vulnerability details
In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input…
more
as a filter expression key are affected. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote code execution flaw in a public-facing Spring AI component via SpEL injection, directly enabling exploitation of public-facing applications without authentication.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the SpEL injection flaw in SimpleVectorStore by applying patches to vulnerable Spring AI versions 1.0.0-1.0.4 and 1.1.0-1.1.3.
Validates user-supplied filter expression keys to reject or sanitize malicious SpEL payloads before they reach the vulnerable SimpleVectorStore component.
Scans systems for CVE-2026-22738 in Spring AI deployments to identify and prioritize patching of affected versions.