CVE-2026-41863

Spring AI's support for Anthropic's Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the intended target directory, including restricted directories. Affected versions: Spring AI: 1.1.0...

com.originlang:originlang-ai (>=0.1.0 <=0.1.1) potentially affected by CVE-2026-41712 via org.springframework.ai:spring-ai-advisors-vector-store (=2.0.0-M4)

org.springframework.ai:spring-ai-advisors-vector-store MAVEN version =2.0.0-M4 is affected by a known vulnerability. The following packages have a transitive dependency on org.springframework.ai:spring-ai-advisors-vector-store and may be impacted: - com.originlang:originlang-ai =0.1.0, =0.1.1...

This Week in Spring - May 12th, 2026

Hi, Spring fans! As I write this I am in Miami, FL at the CodeRemix.ai show, focused on the wide and wonderful world of OpenRewrite and Moderne. I've got a talk to give so let's dive right into it! a quick note about the upcoming release train dates in last week's installment of A Bootiful Podcas...

This Week in Spring - April 28th, 2026

Hi Spring fans! Welcome to another installment of This Week in Spring! As I write this, I'm on PTO in beautiful Santorini, Greece, catching up on some news and about to cruise the islands for some sightseeing. There's nothing quite like springtime in the Mediterranean! I couldn't dream of enjoyin...

org.springframework.ai:spring-ai-oracle-store-spring-boot-starter (>=1.0.0-M5 <=1.0.0-M6), org.springframework.ai:spring-ai-starter-vector-store-oracle (>=1.0.0 <=1.0.5) potentially affected by CVE-2026-40967 via org.springframework.ai:spring-ai-oracle-store (>=1.0.0-M5 <=1.0.5)

org.springframework.ai:spring-ai-oracle-store MAVEN version =1.0.0-M5, =1.0.0-M5, =1.0.0, =1.0.5 Source cves: CVE-2026-40967 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-16321393...

A Bootiful Podcast: the legendary Craig Walls

Hi Spring fans! In this installment we talk to the legendary Craig Walls, author of Spring In Action , Spring AI in Action , and more!...

This Week in Spring - April 14th, 2026

Hi, Spring fans! ¡Hola from Barcelona, Spain! I'm at the amazing Spring I/O event, hanging out with some of the amazing Spring ecosystem developers! Life is amazing here in the warm sun of springtime. There's a lot to look at this week, so let's dive right into it! Another nice tutorial on how to...

CVE-2026-22742

The provided sources confirm a concrete SSRF vulnerability in Spring AI’s spring-ai-bedrock-converse BedrockProxyChatModel, triggered when processing multimodal messages with user-supplied media URLs. The root cause is insufficient validation of those URLs, allowing the server to issue HTTP reque...

This Week in Spring - March 24th, 2026

Hi, Spring fans! Welcome to yet another rip-roarin' installment of This Week in Spring. As usual, we've got a ton to look into, so let's dive right in! Happy 22nd birthday to Spring Framework, released this day 22 years ago! and of course, next week, 1 April 2026, marks 12 years since Spring Boot...

ai.driftkit:driftkit-vector-spring-ai (>=0.6.0 <=0.8.7), ai.driftkit:driftkit-vector-spring-ai-starter (>=0.6.0 <=0.8.7) +173 more potentially affected by CVE-2026-22729 via org.springframework.ai:spring-ai-vector-store (>=1.0.0-M7 <=1.0.3)

org.springframework.ai:spring-ai-vector-store MAVEN version =1.0.0-M7, =0.6.0, =0.6.0, =1.0.0.1, =1.0.0.1, =1.0.0.3, =1.0.0.3, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.1, =1.0.0.4 - com.alibaba.cloud.ai:sp...

CVE-2026-22730

A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands. The vulnerability exists due to missing input sanitization...

Blending Chat with Rich UIs with Spring AI and MCP Apps

The way humans typically interact with AI is via a chat-style interface such as ChatGPT or Claude Desktop. In fact, the ability to converse with an AI in natural language is perhaps one of the most amazing things about this technology. It lets humans talk to computers in human terms, rather than...

org.springframework.ai:spring-ai-starter-vector-store-mariadb (>=2.0.0-M1 <=2.0.0-M2) potentially affected by CVE-2026-22730 via org.springframework.ai:spring-ai-mariadb-store (>=2.0.0-M1 <=2.0.0-M2)

org.springframework.ai:spring-ai-mariadb-store MAVEN version =2.0.0-M1, =2.0.0-M1, =2.0.0-M2 Source cves: CVE-2026-22730 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-15679672...

A Bootiful Podcast: Spring Messaging Legend Soby Chacko

Hi, Spring fans! In this installment, we talk with the legendary Soby Chacko about Apache Kafka, Spring AI, and much more! apachekafka kafka...

Spring AI Agentic Patterns (Part 2): AskUserQuestionTool - Agents That Clarify Before Acting

Traditional AI interactions follow a common pattern: you provide a prompt, the AI makes assumptions, and produces a response. When those assumptions don't match your needs, you're left iterating through corrections. Each assumption creates rework—wasting time and context. What if your AI agent...

This Week in Spring - September 23rd, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm preparing my talks for several amazing shows including: Commit Your Code conference in Plano, Texas starting tomorrow; Dev2Next in Colorado; Devoxx Belgium in Antwerp, Belgium; and CloudFoundry Days in Germany. So much go...