Serial number: AV26-288
Date: March 26, 2026
Between March 23 and 26, 2026, Spring published security advisories to address vulnerabilities in the following products:
- Spring Cloud Config – versions prior to 3.1.3, 4.1.9, 4.2.6, 4.3.2 and 5.0.2
- Spring AI – versions prior to 1.0.5 and 1.1.4
The Cyber Centre encourages users and administrators to review the provided web links and apply the necessary updates.
- CVE-2026-22739: Spring Cloud Config Profile Substitution Can Allow Unintended Access To Files And Enable SSRF Attacks
- CVE-2026-22743: Server-Side Request Forgery via Filter Expression Keys in Neo4jVectorStore
- CVE-2026-22744: RediSearch Query via Unescaped TAG Filter Values in RedisVectorStore
- CVE-2026-22742: Server-Side Request Forgery in BedrockProxyChatModel via Unvalidated Media URL Fetching
- CVE-2026-22738: SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution
- Spring Security Advisories