Tag
Spring AI Data Integrity Vulnerability (CVE-2026-41863)
2 rulesA data integrity vulnerability exists in Spring AI versions 1.1.x before 1.1.7, potentially allowing an attacker to compromise data integrity, as identified by CVE-2026-41863.
Spring AI MCP Security Unvalidated URL Fetching (SSRF)
2 rules 1 TTPThe mcp-security framework fails to implement SSRF mitigations outlined in the Model Context Protocol, processing untrusted URLs for OAuth-related discovery and metadata without verification, affecting installations with Dynamic Client Registration (DCR) enabled and exposing them to potential Server-Side Request Forgery (SSRF) attacks, tracked as CVE-2026-45609.
Spring AI Vulnerabilities CVE-2026-40967 and CVE-2026-40978
2 rules 1 TTP 2 CVEsSpring released security advisories on April 27, 2026, to address a VectorStore FilterExpression Converter injection vulnerability (CVE-2026-40967) and a SQL Injection vulnerability (CVE-2026-40978) in Spring AI versions prior to 1.0.6 and 1.1.5.
Spring AI Redis Store TAG Injection Vulnerability (CVE-2026-22744)
2 rules 1 TTPCVE-2026-22744 is a code injection vulnerability in Spring AI's RedisFilterExpressionConverter which allows an attacker to inject arbitrary commands into RediSearch TAG blocks via unescaped user-controlled strings, affecting versions 1.0.0 before 1.0.5 and 1.1.0 before 1.1.4.
Spring AI SimpleVectorStore SpEL Injection Vulnerability (CVE-2026-22738)
2 rules 1 TTPA SpEL injection vulnerability exists in Spring AI's SimpleVectorStore when a user-supplied value is used as a filter expression key, potentially allowing malicious actors to execute arbitrary code in vulnerable applications.
Spring AI BedrockProxyChatModel SSRF Vulnerability (CVE-2026-22742)
2 rules 1 TTPSpring AI's spring-ai-bedrock-converse library is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied media URLs in multimodal messages, allowing attackers to trigger HTTP requests to internal or external destinations.
CVE-2026-22729: JSONPath Injection Vulnerability in Spring AI's PgVectorStore
2 rules 1 TTPCVE-2026-22729 is a JSONPath Injection vulnerability found in Spring AI's PgVectorStore, potentially allowing for unauthorized data access or modification.