Full Report
Spring security advisory (AV26-288)
Analysis Summary
# Vulnerabilities: Spring Cloud and Spring AI Multiple Security Flaws
## CVE Details
- **CVE ID:** CVE-2026-22738, CVE-2026-22739, CVE-2026-22742, CVE-2026-22743, CVE-2026-22744
- **CVSS Score:** Varies by CVE (High to Critical typical for RCE/SSRF)
- **CWE:**
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- CWE-918: Server-Side Request Forgery (SSRF)
- CWE-116: Improper Encoding or Escaping of Output
## Affected Systems
- **Products:**
- Spring Cloud Config
- Spring AI (SimpleVectorStore, Neo4jVectorStore, RedisVectorStore, BedrockProxyChatModel)
- **Versions:**
- Spring Cloud Config: Prior to 3.1.3, 4.1.9, 4.2.6, 4.3.2, and 5.0.2
- Spring AI: Prior to 1.0.5 and 1.1.4
- **Configurations:** Systems utilizing specific vector stores in Spring AI or profile substitution in Spring Cloud Config.
## Vulnerability Description
This advisory covers five distinct vulnerabilities across the Spring ecosystem:
1. **RCE via SpEL Injection (CVE-2026-22738):** Unescaped filter keys in `SimpleVectorStore` allow for Spring Expression Language (SpEL) injection, leading to Remote Code Execution.
2. **SSRF & File Access (CVE-2026-22739):** Profile substitution in Spring Cloud Config can be manipulated to gain unauthorized access to local files or initiate SSRF attacks.
3. **SSRF via Metadata Filters (CVE-2026-22743):** Filter expression keys in the `Neo4jVectorStore` lack validation, allowing for SSRF.
4. **SSRF via Media URL Fetching (CVE-2026-22742):** The `BedrockProxyChatModel` fetches unvalidated media URLs, enabling SSRF.
5. **Query Injection (CVE-2026-22744):** Unescaped TAG filter values in `RedisVectorStore` allow for RediSearch query manipulation.
## Exploitation
- **Status:** No reports of active exploitation in the wild (at time of advisory); PoC status not explicitly confirmed but likely feasible for SpEL injection.
- **Complexity:** Medium to Low (depending on exposure of search/filter inputs).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Potential full system access via RCE or unauthorized file read).
- **Integrity:** High (Potential for code execution or unauthorized data modification).
- **Availability:** High (Potential for system takeover or service disruption).
## Remediation
### Patches
Users should upgrade to the following versions or higher:
- **Spring Cloud Config:** 3.1.3, 4.1.9, 4.2.6, 4.3.2, or 5.0.2
- **Spring AI:** 1.0.5 or 1.1.4
### Workarounds
- **Input Validation:** For Spring AI, strictly validate all user-supplied metadata filter keys and values before processing.
- **Network Segmentation:** Implement egress filtering to mitigate SSRF impacts by restricting the application's ability to reach internal resources.
- **Access Control:** Disable unnecessary Spring Cloud Config profiles or restrict access to the Config Server.
## Detection
- **Indicators of Compromise:** Unusual outbound requests from the Spring Cloud or AI application servers (SSRF); presence of `${...}` SpEL syntax in application logs related to vector store queries.
- **Detection Methods:** Vulnerability scanners should be updated to check for Spring dependency versions in `pom.xml` or `build.gradle` files.
## References
- hxxps[://]spring[.]io/security/cve-2026-22739
- hxxps[://]spring[.]io/security/cve-2026-22743
- hxxps[://]spring[.]io/security/cve-2026-22744
- hxxps[://]spring[.]io/security/cve-2026-22742
- hxxps[://]spring[.]io/security/cve-2026-22738
- hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/spring-security-advisory-av26-288