VMware Spring Framework

Spring MVC/WebFlux /** Mapping 302 Redirect EIP (5.3-7.0)
CVE-2026-41844 4.2 - Medium - June 09, 2026

A Spring MVC or Spring WebFlux application which configures a mapping for "/**" where the view name is not explicitly specified allows an attacker to craft a link resulting in a 302 redirect to an arbitrary external host via the redirect: prefix. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Open Redirect

Spring MVC/WebFlux Static Resource DoS 5.37.0.7
CVE-2026-41842 7.5 - High - June 09, 2026

Spring MVC and WebFlux applications are vulnerable to Denial of Service (DoS) attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Resource Exhaustion

Info Disclosure via Static Resource Res in Spring Framework (v5.3-7.0)
CVE-2026-41841 5.9 - Medium - June 09, 2026

Spring MVC and WebFlux applications are vulnerable to Information Disclosure attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Use of Cache Containing Sensitive Information

Spring WebFlux DoS via Multipart 5.37.0.7
CVE-2026-41840 5.9 - Medium - June 09, 2026

Spring WebFlux applications are vulnerable to Denial of Service (DoS) attacks when processing multipart requests. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Resource Exhaustion

Spring Framework WebFlux Session ID Escalation 5.348, 6.127, 6.218, 7.07.0.7
CVE-2026-41839 4.2 - Medium - June 09, 2026

A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Session Fixation

Spring Framework WebSocket Session ID Predictability 5.3.x-7.0.x
CVE-2026-41838 4.8 - Medium - June 09, 2026

IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48.

Use of Insufficiently Random Values

Spring LDAP 2.4.04.0.3 DirContextAuth bypass of empty password
CVE-2026-41720 7.4 - High - June 09, 2026

Spring LDAP's DirContextAuthenticationStrategy implementations do not reject a bind request where a non-empty username is paired with an empty or null password. Affected versions: Spring LDAP 2.4.0 through 2.4.4; 3.2.0 through 3.2.17; 3.3.0 through 3.3.7; 4.0.0 through 4.0.3.

authentification

Spring Retry 1.3.0-1.3.4/2.0.0-2.0.12: Stateful Retry Cache Capacity Exhaustion DoS
CVE-2026-41710 5.9 - Medium - June 09, 2026

An attacker can craft a large number of unique requests that trigger a failure, exhausting the capacity of the application-wide stateful retry cache. Once the cache is full, it permanently rejects any further updates, causing all later stateful retries and circuit breakers in the application to fail. Affected versions: Spring Retry 2.0.0 through 2.0.12; 1.3.0 through 1.3.4.

Allocation of Resources Without Limits or Throttling

Micrometer Core & Jetty 1.131.16.5 DoS via crafted HTTP reqs
CVE-2026-40984 7.5 - High - June 09, 2026

In Micrometer, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Affected versions: micrometer-core 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18; 1.9.0 through 1.9.17. micrometer-jetty11 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18. micrometer-jetty12 1.16.0 through 1.16.5; 1.15.0 through 1.15.11; 1.14.0 through 1.14.15; 1.13.0 through 1.13.18.

Resource Exhaustion

Micrometer 1.15/1.16 gRPC DoS via crafted requests
CVE-2026-40983 7.5 - High - June 09, 2026

In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service (DoS) condition. Affected versions: Micrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11.

Resource Exhaustion

Spring Cloud Function OOM via infinite function registry (pre 5.0.2)
CVE-2026-40990 5.7 - Medium - June 01, 2026

OOM error is possible while attempting to add infinite amount of functions to Function Registry. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected.

Allocation of Resources Without Limits or Throttling

SpringCloudFunc OOM via InfinRec on Routing Layer before 5.0.2
CVE-2026-40989 5.7 - Medium - June 01, 2026

Under infinite recursion in the routing layer, request-handling can cause OOM error. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud Function 4.3.x: versions prior to 4.3.3 Spring Cloud Function 5.0.x: versions prior to 5.0.2 Older, unsupported versions are also affected.

Stack Exhaustion

Spring AI 1.1.x Path Traversal via Unsanitized LLM-Filename
CVE-2026-41863 6.5 - Medium - May 25, 2026

Spring AI's support for Anthropic's Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the intended target directory, including restricted directories. Affected versions: Spring AI: 1.1.0 through 1.1.x

Directory traversal

VMware Advisor Input Injection Alters Model Behavior
CVE-2026-41713 8.2 - High - May 12, 2026

A malicious user could craft input that is stored in conversation memory and later interpreted by the model in an unintended way. Applications using the affected advisor with user-controlled input may be susceptible to manipulation of model behavior across conversation turns.

1336

Spring AI ChatMemory default leak enabling cross-user data exposure
CVE-2026-41712 7.5 - High - May 12, 2026

Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users.

Filter-Expression Injection in Spring AI MilvusVectorStore#doDelete v1.01.1
CVE-2026-41705 8.6 - High - May 09, 2026

Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs. Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater.

EL Injection

Spring Cloud Config Secrets Manager Bypass - Exposes GCP Secrets (v3.1-5.0)
CVE-2026-40981 7.5 - High - May 07, 2026

When using Google Secrets Manager as a backend for the Spring Cloud Config server a client can craft a request to the config server potentially exposing secrets from unintended GCP projects. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Insecure Direct Object Reference / IDOR

Spring Cloud Config Server TOCTOU via base directory 3.1.x-5.0.3
CVE-2026-41002 7.4 - High - May 07, 2026

The base directory (`spring.cloud.config.server.git.basedir`) used by the Spring Cloud Config Server to clone Git repositories to is susceptible to time-of-check-time-of-use (TOCTOU) attacks. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

TOCTTOU

Spring Cloud Config Trace Log Info Exposure CVE-2026-41004
CVE-2026-41004 4.4 - Medium - May 07, 2026

When enabling trace logging in Spring Cloud Config Server sensitive information was placed in plain text in the logs. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Insertion of Sensitive Information into Log File

Spring Cloud Config DT via Config Server CVE-2026-40982 (5.0.0-5.0.2)
CVE-2026-40982 9.1 - Critical - May 07, 2026

Spring Cloud Config allows applications to serve arbitrary text and binary files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack. Spring Cloud Config 3.1.x: affected from 3.1.0 through 3.1.13 (inclusive); upgrade to 3.1.14 or greater (Enterprise Support Only). Spring Cloud Config 4.1.x: affected from 4.1.0 through 4.1.9 (inclusive); upgrade to 4.1.10 or greater (Enterprise Support Only). Spring Cloud Config 4.2.x: affected from 4.2.0 through 4.2.6 (inclusive); upgrade to 4.2.7 or greater (Enterprise Support Only). Spring Cloud Config 4.3.x: affected from 4.3.0 through 4.3.2 (inclusive); upgrade to 4.3.3 or greater. Spring Cloud Config 5.0.x: affected from 5.0.0 through 5.0.2 (inclusive); upgrade to 5.0.3 or greater.

Directory traversal

DoS via Slow Static Resource Resolve in Spring MVC/WebFlux on Windows
CVE-2026-22745 5.3 - Medium - April 29, 2026

Spring MVC and WebFlux applications are vulnerable to Denial of Service attacks when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is serving static resources from the file system * the application is running on a Windows platform When all the conditions above are met, the attacker can send malicious requests that are slow to resolve and that can keep HTTP connections in use. This can cause a Denial of Service on the application.

Resource Exhaustion

Spring MVC static resource cache poisoning via encoded resource resolution
CVE-2026-22741 3.1 - Low - April 29, 2026

Spring MVC and WebFlux applications are vulnerable to cache poisoning when resolving static resources. More precisely, an application can be vulnerable when all the following are true: * the application is using Spring MVC or Spring WebFlux * the application is configuring the  resource chain support https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title  with caching enabled * the application adds support for encoded resources resolution * the resource cache must be empty when the attacker has access to the application When all the conditions above are met, the attacker can send malicious requests and poison the resource cache with resources using the wrong encoding. This can cause a denial of service by breaking the front-end application for clients.

Use of Cache Containing Sensitive Information

Spring WebFlux multipart temp file retention (disk space depletion)
CVE-2026-22740 6.5 - Medium - April 29, 2026

A WebFlux server application that processes multipart requests creates temp files for parts larger than 10 K. Under some circumstances, temp files may remain not deleted after the request is fully processed. This allows an attacker to consume available disk space. Older, unsupported versions are also affected.

Resource Exhaustion

Spring gRPC 1.0.0-1.0.2 AuthEx Leakage via gRPC Status
CVE-2026-40969 3.7 - Low - April 28, 2026

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.

Generation of Error Message Containing Sensitive Information

Spring gRPC auth ID retained on thread, pre-1.0.3
CVE-2026-40968 4.3 - Medium - April 28, 2026

When an authenticated user is denied access to a gRPC method, their authenticated identity remains bound to the gRPC worker thread and can be inherited by a subsequent unauthenticated request on the same thread. This may allow the subsequent user to gain escalated permissions. Affected versions: Spring gRPC: 1.0.0 - 1.0.2 (fixed in 1.0.3). Older, unsupported versions are also affected.

Separation of Privilege

Spring AI ForkPDFLayoutTextStripper DoS via crafted PDF (1.0.0-1.1.4)
CVE-2026-40980 6.5 - Medium - April 28, 2026

In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

Resource Exhaustion

Spring AI 1.0.0-1.0.5 / 1.1.0-1.1.4 Shared Env Exposes ONNX (fixed 1.0.6/1.1.5)
CVE-2026-40979 6.1 - Medium - April 28, 2026

In Spring AI, having access to a shared environment can expose the ONNX model used by the application. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

Insecure Temporary File

Spring AI 1.0.0-1.0.5 / 1.1.0-1.1.4 SQLi in CosmosDBVectorStore (fixed 1.0.6/1.1.5)
CVE-2026-40978 8.8 - High - April 28, 2026

SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

SQL Injection

Spring AI VSCMA Exfiltration via conversationId Injection
CVE-2026-40966 5.9 - Medium - April 28, 2026

In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.

Authorization

Spring AI 1.0-1.0.5 Query-Language Injection via Unescaped Filters
CVE-2026-40967 8.6 - High - April 28, 2026

In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

Code Injection

Spring Boot 2.74.0.6 ApplicationPidFileWriter PID File Corruption
CVE-2026-40977 4.7 - Medium - April 27, 2026

When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started. Affected: Spring Boot 4.0.04.0.5 (fix 4.0.6), 3.5.03.5.13 (fix 3.5.14), 3.4.03.4.15 (fix 3.4.16), 3.3.03.3.18 (fix 3.3.19), 2.7.02.7.32 (fix 2.7.33); PID file / symlink behavior (`ApplicationPidFileWriter`). Versions that are no longer supported are also affected per vendor advisory.

insecure temporary file

Spring Boot 4.0.5 Default Security Filter Chain Bypass
CVE-2026-40976 9.1 - Critical - April 27, 2026

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter chain; depend on spring-boot-actuator-autoconfigure; not depend on spring-boot-health. If any of the above does not apply, the application is not vulnerable. Affected: Spring Boot 4.0.04.0.5; upgrade to 4.0.6 or later per vendor advisory.

AuthZ

Spring Boot Weak PRNG in Random Value Property Source (before 4.0.6)
CVE-2026-40975 4.8 - Medium - April 27, 2026

Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range. Affected: Spring Boot 4.0.04.0.5 (fix 4.0.6), 3.5.03.5.13 (fix 3.5.14), 3.4.03.4.15 (fix 3.4.16), 3.3.03.3.18 (fix 3.3.19), 2.7.02.7.32 (fix 2.7.33); random value property source / weak PRNG for secrets. Versions that are no longer supported are also affected per vendor advisory.

Use of Insufficiently Random Values

Spring Boot Cassandra SSL Hostname Verification Failure (pre 4.0.6, 3.5.14, ...)
CVE-2026-40974 5 - Medium - April 27, 2026

Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot 4.0.04.0.5 (fix 4.0.6), 3.5.03.5.13 (fix 3.5.14), 3.4.03.4.15 (fix 3.4.16), 3.3.03.3.18 (fix 3.3.19), 2.7.02.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.

Improper Certificate Validation

Spring Boot 4 Session Hijack via ApplicationTemp TempDir
CVE-2026-40973 7 - High - April 27, 2026

A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijack authenticated users or deploy a gadget chain and execute code as the application's user. Affected: Spring Boot 4.0.04.0.5 (fix 4.0.6), 3.5.03.5.13 (fix 3.5.14), 3.4.03.4.15 (fix 3.4.16), 3.3.03.3.18 (fix 3.3.19), 2.7.02.7.32 (fix 2.7.33); predictable temp directory / `ApplicationTemp` ownership verification. Versions that are no longer supported are also affected per vendor advisory.

Insecure Temporary File

Timing Attack RCE via Remote Secret Comparison in Spring Boot 3.x
CVE-2026-40972 7.5 - High - April 27, 2026

An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution in the remote application. Affected: Spring Boot 4.0.04.0.5 (fix 4.0.6), 3.5.03.5.13 (fix 3.5.14), 3.4.03.4.15 (fix 3.4.16), 3.3.03.3.18 (fix 3.3.19), 2.7.02.7.32 (fix 2.7.33); DevTools remote secret comparison. Versions that are no longer supported are also affected per vendor advisory.

Observable Timing Discrepancy

Spring Boot 4.0.04.0.5/3.5.03.5.13 RabbitMQ SSL Hostname Verification Bypass
CVE-2026-40971 5 - Medium - April 27, 2026

When configured to use an SSL bundle, Spring Boot's RabbitMQ auto-configuration does not perform hostname verification when connecting to the RabbitMQ broker. Affected: Spring Boot 4.0.04.0.5 (fix 4.0.6), 3.5.03.5.13 (fix 3.5.14) per vendor advisory.

Improper Certificate Validation

Spring Boot 4.0.04.0.5: Omitted Hostname Verification in ES SSL Auto-Config
CVE-2026-40970 5 - Medium - April 27, 2026

When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.04.0.5; upgrade to 4.0.6 or later per vendor advisory.

Improper Certificate Validation

Spring Security 7.0.07.0.4: Auth ByPass via Servlet Path
CVE-2026-22754 7.5 - High - April 22, 2026

Vulnerability in Spring Spring Security. If an application uses <sec:intercept-url servlet-path="/servlet-path" pattern="/endpoint/**"/> to define the servlet path for computing a path matcher, then the servlet path is not included and the related authorization rules are not exercised. This can lead to an authorization bypass.This issue affects Spring Security: from 7.0.0 through 7.0.4.

Authorization

Spring Security 7.0.0-7.0.4 Matcher Security Bypass
CVE-2026-22753 7.5 - High - April 22, 2026

Vulnerability in Spring Spring Security. If an application is using securityMatchers(String) and a PathPatternRequestMatcher.Builder bean to prepend a servlet path, matching requests to that filter chain may fail and its related security components will not be exercised as intended by the application. This can lead to the authentication, authorization, and other security controls being rendered inactive on intended requests.This issue affects Spring Security: from 7.0.0 through 7.0.4.

Protection Mechanism Failure

Spring Security 6/7 JWT Decoder Missing Token Validator (CVE-2026-22748)
CVE-2026-22748 5.3 - Medium - April 22, 2026

Vulnerability in Spring Spring Security. When an application configures JWT decoding with NimbusJwtDecoder  or NimbusReactiveJwtDecoder, it must configure an OAuth2TokenValidator<Jwt> separately, for example by calling setJwtValidator.This issue affects Spring Security: from 6.3.0 through 6.3.14, from 6.4.0 through 6.4.14, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

Improper Input Validation

Spring Security 7.0.0-7.0.4 SubjectX500PrincipalExtractor X.509 CN flaw impersonation
CVE-2026-22747 6.8 - Medium - April 22, 2026

Vulnerability in Spring Spring Security. SubjectX500PrincipalExtractor does not correctly handle certain malformed X.509 certificate CN values, which can lead to reading the wrong value for the username. In a carefully crafted certificate, this can lead to an attacker impersonating another user. This issue affects Spring Security: from 7.0.0 through 7.0.4.

Improper Validation of Certificate with Host Mismatch

Spring Security 5.7-7.0 DAO Auth Timing Attack Bypass via Disabled/Locked
CVE-2026-22746 3.7 - Low - April 22, 2026

Vulnerability in Spring Spring Security. If an application is using the UserDetails#isEnabled, #isAccountNonExpired, or #isAccountNonLocked user attributes, to enable, expire, or lock users, then DaoAuthenticationProvider's timing attack defense can be bypassed for users who are disabled, expired, or locked.This issue affects Spring Security: from 5.7.0 through 5.7.22, from 5.8.0 through 5.8.24, from 6.3.0 through 6.3.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

Observable Timing Discrepancy

SpringSec TOCTOU Race JdbcOneTimeTokenSrv v6.4.0-6.4.15/6.5.0-6.5.9/7.0.0-7.0.4
CVE-2026-22751 4.8 - Medium - April 21, 2026

Vulnerability in Spring Spring Security. Applications that explicitly configure One-Time Token login with JdbcOneTimeTokenService are vulnerable to a Time-of-check Time-of-use (TOCTOU) race condition. This issue affects Spring Security: from 6.4.0 through 6.4.15, from 6.5.0 through 6.5.9, from 7.0.0 through 7.0.4.

TOCTTOU

Spring Cloud Gateway SSL Bundle Config Ignored (CVE-2026-22750)
CVE-2026-22750 7.5 - High - April 10, 2026

When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead. Note: The 4.2.x branch is no longer under open source support. If you are using Spring Cloud Gateway 4.2.0 and are not an enterprise customer, you can upgrade to any Spring Cloud Gateway 4.2.x release newer than 4.2.0  available on Maven Centeral https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-gateway/ . Ideally if you are not an enterprise customer, you should be upgrading to 5.0.2 or 5.1.1 which are the current supported open source releases.

External Control of System or Configuration Setting

Spring AI redis-store TAG Injection via RedisFilterExpressionConverter (pre1.0.5/1.1.3)
CVE-2026-22744 7.5 - High - March 27, 2026

In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field, stringValue() inserts the value directly into the @field:{VALUE} RediSearch TAG block without escaping characters.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

Injection

Neo4jVectorFilterExpressionConverter Cypher Injection in SpringAI Neo4j Store <1.0.5 & <1.1.4
CVE-2026-22743 7.5 - High - March 27, 2026

Spring AI's spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in Neo4jVectorFilterExpressionConverter of spring-ai-neo4j-store, doKey() embeds the key into a backtick-delimited Cypher property accessor (node.`metadata.`) after stripping only double quotes, without escaping embedded backticks.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

SQL Injection

Spring AI spring-ai-bedrock-converse SSRF in BedrockProxyChatModel pre-1.1.4
CVE-2026-22742 8.6 - High - March 27, 2026

Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery (SSRF) vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal or external destinations. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

SSRF

Spring AI SpEL Injection via SimpleVectorStore (1.0.01.0.4, 1.1.01.1.3)
CVE-2026-22738 9.8 - Critical - March 27, 2026

In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

Argument Injection

Spring Cloud PT via Profile Param (<3.1.13/4.1.9/4.2.3/4.3.2/5.0.2)
CVE-2026-22739 8.6 - High - March 24, 2026

Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.

Directory traversal