SpEL Injection RCE in Spring AI SimpleVectorStore

This repository is a standalone Python proof-of-concept and local Docker lab for CVE-2026-22738, a critical unauthenticated SpEL injection leading to RCE in Spring AI SimpleVectorStore. The main exploit logic is in exploit.py, which uses requests to send crafted GET requests to a vulnerable /search endpoint. The exploit abuses attacker-controlled filterKey input that is embedded into a SpEL expression and evaluated by StandardEvaluationContext, allowing use of T(java.lang.Runtime).getRuntime().exec(...) for OS command execution. Repository structure: README.md documents the vulnerability, affected versions, exploitation flow, and usage. exploit.py is the operational PoC with helper functions to build SpEL payloads, perform a baseline request, run a blind property-read probe, trigger RCE by creating /tmp/pwned_cve_2026_22738, write command output to /tmp/rce_proof.txt, and optionally verify success with docker exec against the named lab container. docker-compose.yml defines a vulnerable-app service exposing host port 8082 to container port 8080 and names the container cve-2026-22738-lab. Dockerfile builds and runs a Spring Boot application jar. The stages/*.json files are supporting research/compliance/exploitation notes rather than executable exploit components. Main exploit capability: unauthenticated remote command execution over HTTP against vulnerable Spring AI applications that expose user-controlled metadata filter keys. The PoC includes both non-RCE validation (reading java.version) and direct command execution. Success is inferred from the EL1030E SpEL error returned after exec() completes, and in the local lab can be confirmed by inspecting files inside the container. This is a real exploit, not merely a detector, and it is operational but not framework-based.