Disclaimer: This writeup is based on a Capture The Flag (CTF) challenge hosted on TryHackMe and it is intended for educational purposes only.
Spring AI 1.0 shipped in May 2025 as the first stable release of the Java framework designed to simplify the development of LLM-powered applications. By wrapping OpenAI, Ollama, and other model providers behind a consistent , it made it easy for Java developers to add AI features to existing Spring Boot services. Adoption was fast. By early 2026, Spring AI had become a standard dependency across internal enterprise tools, customer-facing chatbots, and -assisted search backends.
CVE-2026–22738, published on 26 March 2026, sits in one of Spring AI's storage components: SimpleVectorStore. It is CVSS 9.8 Critical, unauthenticated and requiring no user interaction. An attacker who can reach an exposed API endpoint can achieve full remote code execution on the server, with no credentials and no preparation beyond sending a crafted HTTP request.
Task 2 Exploring the Vulnerability
What evaluation context does the vulnerable version use to evaluate filter expressions?
StandardEvaluationContext
What SpEL operator loads a Java class by its fully qualified name?
T(…)
What Spring component had the same SpEL injection flaw in 2022?
Spring Cloud Function
Task 3 Understanding the Tools
What string in the HTTP response confirms that exec() fired?
EL1030E
What file does Stage 3 create on the target?
/tmp/pwned_cve_2026_22738
What flag makes listener.py fire the payload and listen in one command?
— exploit
Task 4 Exploiting CVE-2026–22738
What port is the vulnerable application running on?
8082
What user is the application running as?
root
What is the flag at /root/flag.txt?
THM{sp3l_1nj3ct10n_m3ans_spr1ng_AI_g0es_brrr}
Task 5 Detecting and Patching
What Java exception class appears in the stack trace during exploitation?
SpelEvaluationException
What Spring AI version fixes CVE-2026–22738 for the 1.0.x branch?
1.0.5
What evaluation context does the patched version use?
SimpleEvaluationContext