Spring Product Security Update Advisory

overview

We have released security updates that address vulnerabilities in Spring products. users of affected products are encouraged to update to the latest version.

affected products

Cve-2026-22738, cve-2026-22742, cve-2026-22743, cve-2026-22744

Spring AI version: 1.0.0 or higher but lower than 1.0.5
Spring AI version: 1.1.0 or later and less than 1.1.4

resolved vulnerabilities

SpEL injection vulnerability in SimpleVectorStore in Spring AI (CVE-2026-22738)
Server-side request forgery vulnerability in BedrockProxyChatModel in Spring AI (CVE-2026-22742)
Server-side request forgery vulnerability in Neo4jVectorStore in Spring AI (CVE-2026-22743)
RediSearch query injection vulnerability in the RedisVectorStore in Spring AI (CVE-2026-22744)

vulnerability patches

Vulnerability patches have been made available in the latest update. please follow the instructions on the reference site to update to the latest version of the vulnerability patch.

Cve-2026-22738, cve-2026-22742, cve-2026-22743, cve-2026-22744

Spring AI version: 1.0.5
Spring AI version: 1.1.4

references

[1] CVE-2026-22738: SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution
https://spring.io/security/cve-2026-22738
[2] CVE-2026-22742: Server-Side Request Forgery in BedrockProxyChatModel via Unvalidated Media URL Fetching
https://spring.io/security/cve-2026-22742
[3] CVE-2026-22743: Server-Side Request Forgery via Filter Expression Keys in Neo4jVectorStore
https://spring.io/security/cve-2026-22743
[4] CVE-2026-22744: RediSearch Query via Unescaped TAG Filter Values in RedisVectorStore
https://spring.io/security/cve-2026-22744