Critical 9.8 CVSS SpEL Injection and SSRF Flaws Hit Spring AI Framework

Spring AI, the popular framework for integrating Artificial Intelligence into Java applications, is facing a series of security challenges. Recent advisories have uncovered three vulnerabilities that could allow attackers to execute code, inject malicious database queries, or pivot into private networks.

The Critical SpEL Injection (CVE-2026-22738)

The most severe of the trio is a critical SpEL (Spring Expression Language) injection vulnerability with a CVSS score of 9.8. The issue lies within the SimpleVectorStore component when a user-supplied value is mistakenly used as a filter expression key.

“A malicious actor could exploit this to execute arbitrary code.”

This vulnerability essentially allows an unauthenticated attacker to bypass the intended logic of the application and run their own commands directly on the host system. If your application passes raw user input into vector store filters, you are in the immediate line of fire.

SSRF via BedrockProxyChatModel (CVE-2026-22742)

For those using multimodal AI features—such as analyzing images or documents—CVE-2026-22742 poses a significant risk with a CVSS of 8.6. This SSRF flaw occurs when the BedrockProxyChatModel processes media URLs provided by a user.

Because the framework fails to properly validate these URLs, an attacker can “induce the server to issue HTTP requests to unintended internal or external destinations”. This could be used to scan internal networks or access sensitive metadata services that are otherwise hidden from the public internet.

Cypher Injection in Neo4j (CVE-2026-22743)

The third vulnerability affects the spring-ai-neo4j-store component. When a user controls a string passed as a filter expression key, the system fails to escape “backticks” before embedding the key into a Cypher property accessor.

This Cypher injection (CVSS 7.5) allows attackers to manipulate database queries. By injecting specific characters, they can break out of the intended query structure and potentially access unauthorized data stored within the Neo4j graph database.

Are You Affected?

All three vulnerabilities impact the same version ranges of Spring AI:1.0.0 to 1.0.x 1.1.0 to 1.1.x

The Solution: Upgrade Now

Administrators and developers must upgrade to the latest patched releases.

Affected Branch	Required Fix Version	Availability
1.0.x	1.0.5	OSS
1.1.x	1.1.4	OSS