CVE-2026-22738
Published: 27 March 2026
Summary
CVE-2026-22738 is a critical-severity Expression Language Injection (CWE-917) vulnerability in Vmware Spring Ai. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the SpEL injection flaw in SimpleVectorStore by applying patches to vulnerable Spring AI versions 1.0.0-1.0.4 and 1.1.0-1.1.3.
Validates user-supplied filter expression keys to reject or sanitize malicious SpEL payloads before they reach the vulnerable SimpleVectorStore component.
Scans systems for CVE-2026-22738 in Spring AI deployments to identify and prioritize patching of affected versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote code execution flaw in a public-facing Spring AI component via SpEL injection, directly enabling exploitation of public-facing applications without authentication.
NVD Description
In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input…
more
as a filter expression key are affected. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
Deeper analysisAI
CVE-2026-22738 is a SpEL injection vulnerability in the SimpleVectorStore component of Spring AI. It occurs when a user-supplied value is used as a filter expression key, enabling a malicious actor to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input directly as a filter expression key are affected. The vulnerability impacts Spring AI versions from 1.0.0 before 1.0.5 and from 1.1.0 before 1.1.4, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-917.
Any remote attacker can exploit this vulnerability without authentication or user interaction by supplying a crafted filter expression key to a vulnerable application. Successful exploitation allows arbitrary code execution on the server, potentially leading to full compromise including high confidentiality, integrity, and availability impacts.
The Spring security advisory at https://spring.io/security/cve-2026-22738 details the issue and recommends upgrading to Spring AI 1.0.5 or 1.1.4, where the vulnerability is addressed.
This vulnerability is particularly relevant to AI/ML applications leveraging Spring AI's vector store functionality for tasks like semantic search or retrieval-augmented generation. No real-world exploitation has been reported as of the CVE publication on 2026-03-27.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, ai