Spring, the Java application framework ecosystem, has patched a critical remote code execution flaw in Spring AI, its framework for building AI features into Spring and Spring Boot apps. The bug, CVE-2026-22738, is a Spring Expression Language, or SpEL, injection flaw in the SimpleVectorStore component that can let an attacker run arbitrary code on a server if a vulnerable application lets untrusted user input control a filter-expression key.
Spring rated the issue 9.8 out of 10. The CVSS vector shows it is remotely reachable, low complexity, requires no privileges and no user interaction.
The flaw sits in SimpleVectorStore, which Spring AI’s own documentation says is meant only for testing or demonstration, not production use. Spring AI also documents that applications can pass string-based metadata filters into similaritySearch through SearchRequest.filterExpression(...). A likely attack path is a public search, retrieval or RAG endpoint that accepts user-controlled metadata filters and forwards them to SimpleVectorStore, where a crafted key could be evaluated on the server instead of treated strictly as data.
Affected versions are Spring AI 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3. Fixed versions are 1.0.5 and 1.1.4, both released March 26. Spring says only applications that use SimpleVectorStore and pass user-supplied input as a filter-expression key are affected. Spring has not published a customer or end-user count in its advisory, so the number exposed is not publicly known.
Spring’s release notes say the patched versions improve SimpleVectorStore filter evaluation logic, and the vendor says no further mitigation is necessary beyond upgrading. As of March 27, neither Spring’s advisory nor NVD said the flaw was being exploited in the wild. GitHub’s advisory for the CVE also listed “no known source code,” which means no public PoC had been linked there at publication time. Spring disclosed the issue March 26; NVD published the record March 27.
