CVE-2026-22738

CRITICAL LAB

SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution

Title source: cna

Exploitation Summary

EIP tracks 4 public exploits for CVE-2026-22738. PoCs published by adminlove520, XZ1r0, rockmelodies.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-22738, demonstrating unauthenticated remote code execution via SpEL injection in Spring AI SimpleVectorStore. The exploit includes detailed technical analysis, a Dockerized vulnerable environment, and a Python script to trigger the vulnerability.

Description

In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

Exploits (4)

github WORKING POC 3 stars

by adminlove520 · pythonpoc

https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-22738

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-22738, demonstrating unauthenticated remote code execution via SpEL injection in Spring AI SimpleVectorStore. The exploit includes detailed technical analysis, a Dockerized vulnerable environment, and a Python script to trigger the vulnerability.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Spring AI SimpleVectorStore (versions 1.0.0–1.0.4, 1.1.0-M1–1.1.3)

No auth needed

Prerequisites: Docker · Python 3 · requests library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 02, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/CVE-2026-22738-POC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-22738, a SpEL injection vulnerability in Spring AI SimpleVectorStore. The exploit demonstrates unauthenticated remote code execution by injecting malicious SpEL expressions into the filterKey parameter, bypassing input validation to execute arbitrary commands on the target system.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Spring AI SimpleVectorStore (versions 1.0.0–1.0.4, 1.1.0-M1–1.1.3)

No auth needed

Prerequisites: Network access to the target application · Vulnerable version of Spring AI SimpleVectorStore

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 21, 2026 Full analysis →

nomisec STUB

by rockmelodies · poc

https://github.com/rockmelodies/CVE-2026-22738

View Code ZIP pw:eip

The repository contains only a minimal README with the CVE title and no exploit code, technical details, or additional content. It appears to be a placeholder or incomplete submission.

Classification

Stub 100%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 08, 2026 Full analysis →

nomisec WORKING POC

by n0n4m3x41 · poc

https://github.com/n0n4m3x41/CVE-2026-22738-POC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-22738, demonstrating unauthenticated remote code execution via SpEL injection in Spring AI's SimpleVectorStore. The exploit includes a Dockerized vulnerable environment and a Python script to trigger the vulnerability, confirming RCE via the EL1030E error indicator.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Spring AI SimpleVectorStore (versions 1.0.0–1.0.4, 1.1.0-M1–1.1.3)

No auth needed

Prerequisites: Docker · Python 3 · requests library

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 08, 2026 Full analysis →

References (1)

Core 1

Core References

https://spring.io/security/cve-2026-22738

Scores

CVSS v3 9.8

EPSS 0.0006

EPSS Percentile 17.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Lab Environment

COMMUNITY SUSPICIOUS

Community Lab

docker pull eclipse-temurin:21-jre-jammy

https://github.com/n0n4m3x41/CVE-2026-22738-POC

https://github.com/rockmelodies/CVE-2026-22738

https://github.com/adminlove520/CVE-Poc_All_in_One

+1 more repos

View in Library

Details

CWE

CWE-88 CWE-917

Status published

Products (5)

org.springframework.ai/spring-ai-vector-store 1.0.0 - 1.0.5Maven

org.springframework.ai/spring-ai-vector-store 1.1.0-M1 - 1.1.4Maven

Spring/Spring AI 1.0.0 - 1.0.5

Spring/Spring AI 1.1.0 - 1.1.4

vmware/spring_ai 1.0.0 - 1.0.5

Published Mar 27, 2026

Tracked Since Mar 27, 2026