EUVD-2026-16535
GHSA-fvh3-672c-7p6c
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Blast Radius
ecosystem impact- 162 maven packages depend on org.springframework.ai:spring-ai-vector-store (35 direct, 127 indirect)
Ecosystem-wide dependent count for version 1.0.0.
DescriptionCVE.org
In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
Articles & Coverage 1
AnalysisAI
Spring AI versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3 allow unauthenticated remote code execution through Spring Expression Language (SpEL) injection in the SimpleVectorStore component when user-supplied input is incorporated into filter expression keys. This critical vulnerability (CVSS 9.8) enables attackers to execute arbitrary code without authentication on applications using SimpleVectorStore with untrusted filter input. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires Spring AI 1.0.0-1.0.4 or 1.1.0-1.1.3 with SimpleVectorStore enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This vulnerability represents critical real-world risk based on converging threat signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a Spring AI application that accepts search filters through an HTTP API endpoint and uses SimpleVectorStore for vector similarity operations. The attacker crafts a malicious HTTP request containing a SpEL expression payload in the filter parameter, such as a serialized Java object instantiation command or runtime execution directive. … |
| Remediation | Upgrade Spring AI to version 1.0.5 or later for the 1.0.x series, or version 1.1.4 or later for the 1.1.x series as documented in the vendor security advisory at https://spring.io/security/cve-2026-22738. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all applications using Spring AI 1.0.0-1.0.4 or 1.1.0-1.1.3 and assess whether SimpleVectorStore processes untrusted user input in filter expressions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Denial-of-service in Spring Cloud Sleuth 3.1.0 through 3.1.13 allows remote unauthenticated attackers to exhaust applica
Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re
Share
External POC / Exploit Code
Leaving vuln.today