Spring AI 1.0.x < 1.0.5 / 1.1.x < 1.1.4 Multiple Vulnerabilities

The version of Spring AI installed on the remote host is 1.0.x prior to 1.0.5 or 1.1.x prior to 1.1.4. It is, therefore, affected by multiple vulnerabilities, including: - A SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A...

CVE-2026-22743

Spring AI's spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in Neo4jVectorFilterExpressionConverter of spring-ai-neo4j-store, doKey embeds the key into a backtick-delimited...

CVE-2026-22738

In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression...

CVE-2026-22742

Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery SSRF vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests...

CVE-2026-22744

In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field, stringValue inserts the value directly into the @field:VALUE RediSearch TAG block without escaping characters.This issue affects Spring AI: from 1.0.0 before 1.0....

com.embabel.agent:embabel-agent-bedrock-autoconfigure (=0.2.0), com.embabel.agent:embabel-agent-starter-bedrock (=0.2.0) +2 more potentially affected by CVE-2026-22742 via org.springframework.ai:spring-ai-bedrock-converse (>=1.0.0-M5 <=1.0.4)

org.springframework.ai:spring-ai-bedrock-converse MAVEN version =1.0.0-M5, =1.0.0-M5, =1.0.0, =1.0.4 Source cves: CVE-2026-22742 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-15791534...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to insufficient validation of user-supplied media URLs in the BedrockProxyChatModel function. An attacker can cause the server to send HTTP requests to unintended internal or external destinations by...

com.embabel.agent:embabel-agent-bedrock-autoconfigure (=0.2.0), com.embabel.agent:embabel-agent-starter-bedrock (=0.2.0) +2 more potentially affected by CVE-2026-22742 via org.springframework.ai:spring-ai-autoconfigure-model-bedrock-ai (>=1.0.0-M7 <=1.0.4)

org.springframework.ai:spring-ai-autoconfigure-model-bedrock-ai MAVEN version =1.0.0-M7, =1.0.0, =1.0.0, =1.0.4 Source cves: CVE-2026-22742 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-15791533...

com.embabel.agent:embabel-agent-bedrock-autoconfigure (>=0.3.0 <=0.3.4), com.embabel.agent:embabel-agent-starter-bedrock (>=0.3.0 <=0.3.4) +2 more potentially affected by CVE-2026-22742 via org.springframework.ai:spring-ai-autoconfigure-model-bedrock-ai (>=1.1.0-M1 <=1.1.3)

org.springframework.ai:spring-ai-autoconfigure-model-bedrock-ai MAVEN version =1.1.0-M1, =0.3.0, =0.3.0, =1.1.0, =1.1.0, =1.1.3 Source cves: CVE-2026-22742 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-15791533...

com.embabel.agent:embabel-agent-bedrock-autoconfigure (>=0.3.0 <=0.3.4), com.embabel.agent:embabel-agent-starter-bedrock (>=0.3.0 <=0.3.4) +4 more potentially affected by CVE-2026-22742 via org.springframework.ai:spring-ai-bedrock-converse (>=1.1.0-M1 <=1.1.3)

org.springframework.ai:spring-ai-bedrock-converse MAVEN version =1.1.0-M1, =0.3.0, =0.3.0, =.30.0.rc5, =3.3.0.rc2, =3.3.0.rc2, =1.1.0, =1.1.3 Source cves: CVE-2026-22742 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-15791534...

Improper Input Validation

Overview Affected versions of this package are vulnerable to Improper Input Validation via the RedisFilterExpressionConverter function. An attacker can access sensitive information by injecting specially crafted input into the filter value for a TAG field, which is inserted directly into the...

org.springframework.ai:spring-ai-starter-vector-store-redis (>=1.1.0 <=1.1.3) potentially affected by CVE-2026-22744 via org.springframework.ai:spring-ai-redis-store (>=1.1.0-M1 <=1.1.3)

org.springframework.ai:spring-ai-redis-store MAVEN version =1.1.0-M1, =1.1.0, =1.1.3 Source cves: CVE-2026-22744 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-15791529...

Improper Input Validation

Overview Affected versions of this package are vulnerable to Improper Input Validation in the doKey function of Neo4jVectorFilterExpressionConverter when a user-controlled string is embedded as a filter expression key without proper escaping of backticks. An attacker can access internal resources...

com.chinagoods.framework.thinkcloud:think-cloud-starter-ai-vector-redis (>=4.2.3 <=4.2.6), org.springframework.ai:spring-ai-redis-store-spring-boot-starter (>=1.0.0-M5 <=1.0.0-M6) +2 more potentially affected by CVE-2026-22744 via org.springframework.ai:spring-ai-redis-store (>=1.0.0-M5 <=1.0.4)

org.springframework.ai:spring-ai-redis-store MAVEN version =1.0.0-M5, =4.2.3, =1.0.0-M5, =1.0.0, =1.3.0, =1.3.8 Source cves: CVE-2026-22744 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-15791529...

cn.echoparrot:echoparrot-application (=25.4.0), cn.echoparrot:echoparrot-core (>=25.4.0 <=25.4.4) +2 more potentially affected by CVE-2026-22743 via org.springframework.ai:spring-ai-neo4j-store (>=1.1.0-M1 <=1.1.3)

org.springframework.ai:spring-ai-neo4j-store MAVEN version =1.1.0-M1, =25.4.0, =1.1.0, =1.1.3 - org.vrspace:server =0.8.7 Source cves: CVE-2026-22743 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-15791530...

io.gitee.yeshizhe:echoparrot-application (=25.2.5), io.gitee.yeshizhe:echoparrot-core (=25.2.5) +2 more potentially affected by CVE-2026-22743 via org.springframework.ai:spring-ai-neo4j-store (>=1.0.0-M5 <=1.0.4)

org.springframework.ai:spring-ai-neo4j-store MAVEN version =1.0.0-M5, =1.0.0-M5, =1.0.0, =1.0.4 Source cves: CVE-2026-22743 Source advisory: SNYK:JAVA-ORGSPRINGFRAMEWORKAI-15791530...

org.springframework.ai:spring-ai-starter-vector-store-redis (>=1.1.0 <=1.1.3) potentially affected by CVE-2026-22744 via org.springframework.ai:spring-ai-redis-store (>=1.1.0-M1 <=1.1.3)

org.springframework.ai:spring-ai-redis-store MAVEN version =1.1.0-M1, =1.1.0, =1.1.3 Source cves: CVE-2026-22744 Source advisory: OSV:GHSA-44F4-GVWJ-6QG3...

GHSA-7CJ7-RCW6-P68V Spring AI has a Cypher Injection vulnerability in Neo4jVectorFilterExpressionConverter

Spring AI's spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in Neo4jVectorFilterExpressionConverter of spring-ai-neo4j-store, doKey embeds the key into a backtick-delimited...

Spring AI: Insufficient Validation causes SSRF when processing multimodal messages with user-supplied URLs

Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery SSRF vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests...

Spring AI has a Cypher Injection vulnerability in Neo4jVectorFilterExpressionConverter

Spring AI's spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in Neo4jVectorFilterExpressionConverter of spring-ai-neo4j-store, doKey embeds the key into a backtick-delimited...