A command-injection vulnerability in the Spring CLI VSCode extension allows attackers to execute arbitrary commands on affected user machines.
The vulnerability, tracked as CVE-2026-22718, affects all versions of the extension through 0.9.0 and poses a significant risk to developers still using the outdated tool despite its end-of-life status.
Vulnerability Details
The Spring CLI VSCode extension contains a command-injection flaw that attackers can exploit to execute arbitrary commands on compromised systems.
The vulnerability requires local access and user interaction to exploit. However, it carries a MEDIUM severity rating and has a high impact on system confidentiality and integrity.
| Field | Details |
| CVE ID | CVE-2026-22718 |
| Vulnerability Type | Command Injection |
| Affected Product | Spring CLI VSCode Extension |
| Affected Versions | 0.9.0 and older (all unsupported) |
| Severity | MEDIUM |
| CVSS v3.1 Score | 6.8 |
The extension officially reached end of life on May 14, 2025, meaning it has not received any security updates or maintenance for several months.
Despite the EOL status, the Spring development team elected to assign and document this CVE to ensure transparent communication with users and underscore the importance of removing the deprecated extension from development environments.
The command injection vulnerability relies on a local attack vector and requires an attacker to already have local system access.
The exploit requires low privileges and user interaction to trigger, making it a practical attack surface for compromised development workstations or shared systems.
The vulnerability can result in high-impact confidentiality and integrity violations, as well as limited availability impacts.
All versions of the Spring CLI VSCode extension, up to and including 0.9.0, are vulnerable.
The critical mitigation strategy is straightforward: developers should immediately uninstall the vulnerable extension from their VSCode environments.
No patched version exists due to the extension’s end-of-life status, making removal the only viable protective measure.
Organizations should audit their development teams to identify instances where the Spring CLI extension remains installed and coordinate its removal across all coding environments.
This includes standalone workstations, shared development machines, and CI/CD pipelines that may use VSCode extensions.
The vulnerability was responsibly disclosed by security researcher Yue Liu, demonstrating the importance of coordinated vulnerability reporting in the open-source ecosystem.
Spring discovery highlights that even deprecated tools warrant security attention to protect users who may not immediately recognize the need to migrate away from unsupported software.
Developers relying on Spring CLI functionality should transition to supported alternatives and ensure their development tooling remains up to date with active maintenance and security patches.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.