CRITICAL 2 min read 28 Mar 2026

Spring AI — CVE-2026-22738 SpEL Injection

A critical SpEL injection vulnerability in Spring AI (CVSS 9.8) enables unauthenticated remote code execution (RCE) via manipulated filter expressions in Vector Stores. This flaw directly undermines the security of modern Retrieval-Augmented Generation (RAG) pipelines.

Key findings
01
Finding: Spring AI Vector Store RCE (CVE-2026-22738)
HIGH
[High] Confidence: High The SimpleVectorStore implementation in Spring AI fails to properly sanitise filter expression keys before processing them within the Spring Expression Language (SpEL) engine.
CVE-2026-22738
02
Finding: Microsoft SQL Server Zero-Day (CVE-2026-21262)
HIGH
[High] Confidence: High A novel zero-day vulnerability in Microsoft SQL Server allows an unauthenticated remote attacker to escalate privileges to 'sysadmin' status.
CVE-2026-21262
03
Finding: Chrome CSS Use-After-Free Zero-Day (CVE-2026-2441)
HIGH
[High] Confidence: High Google has confirmed active exploitation of a use-after-free vulnerability within the Chrome CSS engine. This zero-day allows attackers to execute arbitrary code within the browser's sandbox.
CVE-2026-2441
04
Update: Langflow Patch Bypass (CVE-2026-33017)
HIGH
[High] Confidence: High Researchers have confirmed that the fix for CVE-2026-33017 in Langflow version 1.8.2 is incomplete. Unauthenticated attackers can still trigger remote code execution via the /api/v1/buildpublictmp endpoint, leading to its addition to the CISA KEV catalog.
CVE-2026-33017
05
Update: Aqua Security Trivy Supply Chain Breach (CVE-2026-33634)
HIGH
[High] Confidence: High The Trivy supply chain breach has been escalated to the CISA KEV following confirmed reports of Kubernetes wipers and infostealers being delivered via compromised GitHub Actions. Impacted users must transition to signed manifests and audit all CI/CD secrets immediately.
CVE-2026-33634
06
Update: UK NCSC Scanning Service Sunset
HIGH
[High] Confidence: High The NCSC-UK has confirmed the final retirement date for its Web Check and Mail Check services as 31 March 2026. This sunsetting creates an immediate visibility gap for UK public sector organisations and SMBs that rely on these automated security scans.

Spring AI — CVE-2026-22738 SpEL Injection

Finding: Spring AI Vector Store RCE (CVE-2026-22738)

Confidence: High

The SimpleVectorStore implementation in Spring AI fails to properly sanitise filter expression keys before processing them within the Spring Expression Language (SpEL) engine. This oversight allows an unauthenticated attacker to inject malicious SpEL expressions, leading to full remote code execution on the underlying host.

Whilst modern AI development prioritises rapid integration, this vulnerability highlights a systemic failure to apply traditional input validation to AI-native components. Organisations utilizing Spring AI for RAG pipelines must urgently audit their implementations, as the flaw targets the very foundation of how these systems retrieve and filter data.

Finding: Microsoft SQL Server Zero-Day (CVE-2026-21262)

Confidence: High

A novel zero-day vulnerability in Microsoft SQL Server allows an unauthenticated remote attacker to escalate privileges to 'sysadmin' status. By sending crafted network requests, an adversary can bypass existing authentication mechanisms and gain full control over the database instance. Microsoft has confirmed active exploitation in the wild, primarily targeting high-value financial and government databases.

Finding: Chrome CSS Use-After-Free Zero-Day (CVE-2026-2441)

Confidence: High

Google has confirmed active exploitation of a use-after-free vulnerability within the Chrome CSS engine. This zero-day allows attackers to execute arbitrary code within the browser's sandbox. Given the ubiquity of Chrome-based browsers, this represents a significant surface area for drive-by download attacks. Users are advised to update to the latest stable version immediately.

Update: Langflow Patch Bypass (CVE-2026-33017)

Confidence: High

Researchers have confirmed that the fix for CVE-2026-33017 in Langflow version 1.8.2 is incomplete. Unauthenticated attackers can still trigger remote code execution via the /api/v1/buildpublictmp endpoint, leading to its addition to the CISA KEV catalog.

Update: Aqua Security Trivy Supply Chain Breach (CVE-2026-33634)

Confidence: High

The Trivy supply chain breach has been escalated to the CISA KEV following confirmed reports of Kubernetes wipers and infostealers being delivered via compromised GitHub Actions. Impacted users must transition to signed manifests and audit all CI/CD secrets immediately.

Update: UK NCSC Scanning Service Sunset

Confidence: High

The NCSC-UK has confirmed the final retirement date for its Web Check and Mail Check services as 31 March 2026. This sunsetting creates an immediate visibility gap for UK public sector organisations and SMBs that rely on these automated security scans.

Why This Matters

The rapid weaponisation of AI-native frameworks like Spring AI and Langflow demonstrates a shift in the threat landscape. Adversaries are now targeting the bespoke infrastructure supporting generative AI, whilst simultaneously exploiting zero-day vulnerabilities in traditional enterprise software like SQL Server and Chrome.

  • Recommended Actions
  • Spring AI: Audit all Spring AI implementations and isolate Vector Store endpoints from unauthenticated access.
  • SQL Server: Apply Microsoft's emergency patch for CVE-2026-21262 and restrict database access to trusted IP ranges.
  • Chrome: Force browser updates across all managed endpoints to mitigate the CSS zero-day.
  • Supply Chain: Review GitHub Actions for any usage of aquasecurity/trivy v0.69.4 and update to the latest signed version.

All findings grounded in A13E intelligence sweeps through 07:30 UTC 28 March 2026.

cve-2026-21262cve-2026-22738cve-2026-2441cve-2026-33017cve-2026-33634rag-securityrcespring-ai

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed