π―Spring found some serious problems in their software that could let bad guys sneak in and steal information. They told everyone to fix it quickly by updating to newer versions of their software.
The Flaw
On March 17, 2026, Spring issued a security advisory highlighting vulnerabilities in its Spring AI product. Specifically, the advisory targets versions 1.0.x prior to 1.0.4 and 1.1.x prior to 1.1.3. These versions contain critical security flaws that can be exploited by attackers, potentially leading to unauthorized access to sensitive data.
The vulnerabilities include CVE-2026-22730, which involves an SQL injection in the MariaDBFilterExpressionConverter, and CVE-2026-22729, which pertains to a JSONPath injection in the Vector Stores FilterExpressionConverter. Both flaws pose significant risks to applications using these versions of Spring AI.
In addition to Spring AI, the advisory also covers vulnerabilities in several other Spring products, including Spring Cloud Gateway (version 4.2.0), Spring Security (versions 5.7.0 to 5.7.22, 5.8.0 to 5.8.24, 6.3.0 to 6.3.15, 6.4.0 to 6.4.15, 6.5.0 to 6.5.9, and 7.0.0 to 7.0.4), Spring Authorization Server (versions 1.3.0 to 1.3.10, 1.4.0 to 1.4.9, and 1.5.0 to 1.5.6), and Spring Framework (versions 5.3.0 to 5.3.47, 6.1.0 to 6.1.26, 6.2.0 to 6.2.17, and 7.0.0 to 7.0.6).
What's at Risk
The impact of these vulnerabilities can be severe. SQL injection allows attackers to manipulate database queries, potentially exposing sensitive information or even allowing them to take control of the database. JSONPath injection can similarly lead to unauthorized data access, compromising the integrity of the application.
Users running affected versions of Spring AI and other Spring products are at risk of data breaches, which can have serious implications for their operations. This is particularly concerning for organizations handling sensitive or personal data, as it can lead to compliance issues and loss of trust from clients.
Patch Status
Spring has provided updates to address these vulnerabilities. Users are strongly encouraged to upgrade to Spring AI version 1.0.4 or 1.1.3, and to review the advisories for other affected products to mitigate these risks. The Cyber Centre has emphasized the importance of applying these updates promptly to protect against potential attacks.
Immediate Actions
To safeguard against these vulnerabilities, users should take immediate action: By staying proactive and applying the recommended updates, users can significantly reduce their risk of falling victim to these vulnerabilities. The advisory serves as a timely reminder of the importance of maintaining up-to-date software to protect against evolving cyber threats.
Containment
- 1.Upgrade to the latest versions of Spring AI and other affected products as specified in the advisories.
- 2.Review application configurations for any potential exposure to SQL or JSONPath injections.
Remediation
The recent advisory highlights the importance of timely updates across multiple Spring products, not just Spring AI, indicating a broader security concern that organizations need to address.
