SpEL injection in Spring AI SimpleVectorStore enables RCE

TL;DR — If your app uses Spring AI SimpleVectorStore and builds filter expressions from user input, an attacker can inject SpEL via filter keys and potentially reach remote code execution.

What happened

Spring AI is Spring’s application framework for building LLM-powered applications, including integrations for vector stores used in retrieval-augmented generation (RAG) workflows.

Spring published a CRITICAL advisory for CVE-2026-22738 describing a SpEL injection issue in SimpleVectorStore when a user-supplied value is used as a filter expression key. The advisory states a malicious actor can exploit this to execute arbitrary code.

This is a high-risk pattern for platform teams because “filtering” metadata in vector-store queries often sits directly behind API endpoints, and SpEL injection is frequently an immediate “code-as-data” escape hatch rather than a limited query manipulation bug.

Who is impacted

• Applications using Spring AI SimpleVectorStore.
• Deployments where user-supplied input can become a filter expression key.

What to do now

• Follow vendor remediation guidance and upgrade to the corresponding fixed version.

  "Users of affected versions should upgrade to the corresponding fixed version."

• Identify services using Spring AI and explicitly inventory usages of SimpleVectorStore (direct usage, transitive usage through internal libraries, and “starter” modules).
• Treat “filter expression” construction as a trust boundary:
  • Ensure filter keys are not derived from untrusted input.
  • Prefer allowlisted, server-controlled filter fields over pass-through client-defined keys.
• Validate external exposure: review any API endpoints that accept “filters”, “metadata filters”, or similar query structures that could feed SimpleVectorStore.
• Align with the advisory’s mitigation expectations.

  "No further mitigation steps are necessary."