Spring Security Advisory - Critical Vulnerabilities Identified
Basically, Spring found serious problems in their software that could let hackers in.
Spring has issued a security advisory for vulnerabilities in Spring Cloud Config and Spring AI. Users must update their software to prevent unauthorized access and remote code execution. Ignoring these updates could lead to serious security risks. Stay secure by applying the necessary patches.
The Flaw
Between March 23 and 26, 2026, Spring released security advisories for vulnerabilities affecting two of its products: Spring Cloud Config and Spring AI. These vulnerabilities could allow unauthorized access to sensitive files and enable various attacks, including Server-Side Request Forgery (SSRF) and remote code execution. Notably, CVE-2026-22739 allows profile substitution in Spring Cloud Config, which can lead to unintended file access.
Other vulnerabilities include CVE-2026-22743, which involves SSRF via filter expression keys in Neo4jVectorStore, and CVE-2026-22744, which allows unescaped TAG filter values in RedisVectorStore. These flaws present significant risks, particularly for organizations relying on these frameworks for cloud configuration management and AI applications.
What's at Risk
The vulnerabilities affect multiple versions of Spring Cloud Config, specifically those prior to 3.1.3, 4.1.9, 4.2.6, 4.3.2, and 5.0.2, as well as Spring AI versions before 1.0.5 and 1.1.4. If left unpatched, these flaws could lead to severe security breaches, including unauthorized access to data and potential remote code execution. Organizations using these versions should prioritize updates to mitigate these risks.
Patch Status
Spring has provided updates to address these vulnerabilities. Users are strongly encouraged to upgrade to the latest versions of the affected products. For Spring Cloud Config, this means updating to at least version 3.1.3 or any of the later versions mentioned. For Spring AI, users should update to at least version 1.0.5 or 1.1.4. The Cyber Centre has emphasized the importance of applying these updates promptly to protect against potential exploits.
Immediate Actions
To safeguard your systems, follow these steps:
- Review the versions of Spring Cloud Config and Spring AI currently in use.
- Upgrade to the latest versions provided in the advisory.
- Monitor your systems for any unusual activity that may indicate exploitation attempts.
- Stay informed about future advisories from Spring to ensure ongoing security.
By taking these actions, organizations can significantly reduce their exposure to the risks associated with these vulnerabilities. Ignoring these updates could lead to serious security incidents, making timely action essential.
Canadian Cyber Centre Alerts