Changeflow GovPing Data Privacy & Cybersecurity Spring AI Vulnerabilities Allow Code Execution,...
Priority review Notice Added Final

Spring AI Vulnerabilities Allow Code Execution, SSRF, Policy Bypass

Favicon for www.cert.ssi.gouv.fr CERT-FR Security Advisories
Published March 27th, 2026
Detected March 27th, 2026
Email

Summary

CERT-FR has issued a security advisory regarding multiple vulnerabilities discovered in Spring AI. These vulnerabilities could allow attackers to achieve remote code execution, server-side request forgery (SSRF), and security policy bypass. Affected versions include Spring AI 1.0.x prior to 1.0.5 and 1.1.x prior to 1.1.4.

View original document View source feed page

What changed

The French national cybersecurity agency, CERT-FR, has released an advisory detailing critical vulnerabilities in Spring AI software. The identified issues, tracked under CVE-2026-22738, CVE-2026-22742, CVE-2026-22743, and CVE-2026-22744, pose significant risks including arbitrary remote code execution, server-side request forgery (SSRF), and the ability for attackers to bypass security policies. These vulnerabilities affect Spring AI versions 1.0.x before 1.0.5 and 1.1.x before 1.1.4.

Organizations utilizing affected versions of Spring AI must immediately consult the vendor's security bulletins to apply the necessary patches and updates. Failure to remediate these vulnerabilities could lead to severe security breaches, including system compromise and data exfiltration. It is crucial for IT security teams to prioritize the assessment and patching of these issues to mitigate the associated risks and maintain the integrity of their systems.

What to do next

  1. Consult vendor security bulletins for patches related to CVE-2026-22738, CVE-2026-22742, CVE-2026-22743, and CVE-2026-22744.
  2. Apply updates to Spring AI versions 1.0.x (prior to 1.0.5) and 1.1.x (prior to 1.1.4) to remediate identified vulnerabilities.

Source document (simplified)

Premier Ministre S.G.D.S.N

Agence nationale
de la sécurité des
systèmes d'information

Paris, le 27 mars 2026 N° CERTFR-2026-AVI-0365 Affaire suivie par: CERT-FR

Avis du CERT-FR

Objet: Multiples vulnérabilités dans Spring AI

Gestion du document

| Référence | CERTFR-2026-AVI-0365 |
| Titre | Multiples vulnérabilités dans Spring AI |
| Date de la première version | 27 mars 2026 |
| Date de la dernière version | 27 mars 2026 |
| Source(s) | Bulletin de sécurité Spring cve-2026-22738 du 26 mars 2026
Bulletin de sécurité Spring cve-2026-22742 du 26 mars 2026
Bulletin de sécurité Spring cve-2026-22743 du 26 mars 2026
Bulletin de sécurité Spring cve-2026-22744 du 26 mars 2026 |
Une gestion de version détaillée se trouve à la fin de ce document.

Risques

  • Contournement de la politique de sécurité
  • Exécution de code arbitraire à distance
  • Falsification de requêtes côté serveur (SSRF)

Systèmes affectés

  • Spring AI versions 1.0.x antérieures à 1.0.5
  • Spring AI versions 1.1.x antérieures à 1.1.4

Résumé

De multiples vulnérabilités ont été découvertes dans Spring AI. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une falsification de requêtes côté serveur (SSRF) et un contournement de la politique de sécurité.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Documentation

Gestion détaillée du document

  1. le 27 mars 2026 Version initiale

Named provisions

Risques Systèmes affectés Résumé Solutions Documentation

Related changes

Favicon for www.cert.ssi.gouv.fr Siemens Product Vulnerabilities Allow Remote Denial of Service
Priority review Mar 27, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for www.cert.ssi.gouv.fr Traefik Vulnerabilities Allow Security Policy Bypass
Priority review Mar 27, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for www.cert.ssi.gouv.fr NetApp Products Vulnerabilities Affecting Data Integrity and Confidentiality
Priority review Mar 27, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for www.nist.gov Draft NIST Cyber AI Profile for Cybersecurity Guidelines
Priority review Mar 28, 2026 NIST News Data Privacy & Cybersecurity
Favicon for usdaoig.oversight.gov USDA IT Security Directives Lack Relevance and Effectiveness
Priority review Mar 28, 2026 USDA OIG Reports Agriculture & Food Safety
Favicon for usdaoig.oversight.gov USDA Web Application Security Vulnerabilities Inspection Report
Priority review Mar 28, 2026 USDA OIG Reports Agriculture & Food Safety

Source

Favicon for www.cert.ssi.gouv.fr
CERT-FR Security Advisories cert.ssi.gouv.fr/avis
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CERT-FR
Published
March 27th, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
CERTFR-2026-AVI-0365

Who this affects

Applies to
Technology companies
Industry sector
5112 Software & Technology
Activity scope
Software Development Vulnerability Management
Geographic scope
France FR

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Software Security Vulnerability Management

Browse Categories

Agriculture & Food Safety 63 AI Regulation 3 Banking & Finance 264 Consumer Protection 44 Courts & Legal 356 Data Privacy & Cybersecurity 69 Defense & National Security 52 Education 20 Energy 106 Environment 85 Government & Legislation 274 Healthcare 136 Housing 16 Immigration 9 Insurance 56 Labor & Employment 114 Legal & Courts 1 Pharma & Drug Safety 101 Securities & Markets 86 Tax 65 Tax & Revenue 1 Telecom & Technology 47 Trade & Sanctions 124 Transportation 57

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CERT-FR Security Advisories publishes new changes.

Optional. Personalizes your daily digest.

Free. Unsubscribe anytime.