UNKNOWNCVE-2026-22738

Spring AI: SpEL injection is triggered when a user-supplied value is used as a filter expression key

Platform

java

Component

org.springframework.ai:spring-ai-vector-store

Fixed in

1.0.5

In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

How to fix

Actualice Spring AI a la versión 1.0.5 o superior si está utilizando la rama 1.0.x, o a la versión 1.1.4 o superior si está utilizando la rama 1.1.x. Esto corrige la vulnerabilidad de inyección SpEL en SimpleVectorStore. Evite pasar entradas proporcionadas por el usuario directamente como claves de expresión de filtro.

Monitor your dependencies automatically

Get notified when new vulnerabilities affect your projects. Free forever.

Start free