Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
9Blast Radius
ecosystem impact- 162 maven packages depend on org.springframework.ai:spring-ai-vector-store (35 direct, 127 indirect)
Ecosystem-wide dependent count for version 1.0.0.
DescriptionCVE.org
In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query.
Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
AnalysisAI
Filter expression injection in Spring AI 1.0.0-1.0.5 and 1.1.0-1.1.4 allows remote unauthenticated attackers to manipulate vector store queries through unescaped keys and values in FilterExpressionConverter implementations. The vulnerability enables query language injection across multiple vector database backends, potentially exposing sensitive data (CVSS:C:H) and modifying query results (CVSS:I:L). VMware has released patches in versions 1.0.6 and 1.1.5. No active exploitation confirmed (not in CISA KEV), but the network-accessible attack vector (AV:N/AC:L/PR:N) and code injection classification (CWE-94) indicate significant risk for applications processing untrusted filter expressions.
Technical ContextAI
Spring AI is a framework for building AI-powered applications in Java, providing abstractions for vector databases and similarity search operations. The vulnerability affects FilterExpressionConverter implementations, which translate Spring AI's filter expression objects into vendor-specific query languages for vector stores (e.g., Pinecone, Weaviate, Milvus, ChromaDB). CWE-94 (Improper Control of Generation of Code/Code Injection) indicates that user-controlled input is incorporated into dynamically constructed queries without proper sanitization. When filter expression keys and values are not escaped during translation to the target vector store's query syntax, attackers can inject additional query commands, operators, or logic similar to SQL injection but targeting vector database query languages. The affected CPE cpe:2.3:a:spring:spring_ai confirms this is a core Spring AI framework vulnerability, not limited to a single vector store backend.
RemediationAI
Upgrade to Spring AI 1.0.6 if running 1.0.x versions, or upgrade to Spring AI 1.1.5 if running 1.1.x versions, as confirmed by VMware in the security advisory at https://spring.io/security/cve-2026-40967. Review application code to identify all locations where filter expressions are constructed from user input or external sources, then apply strict input validation on filter expression keys and values before passing to FilterExpressionConverter implementations. If immediate patching is not feasible, implement compensating controls: restrict filter expression functionality to authenticated trusted users only (reduces PR:N to PR:L/H), enforce allowlists for permitted filter keys and operators (blocks injection attempts), or disable dynamic filter expression features entirely until patching completes (eliminates attack surface but may impact application functionality). Each workaround trades functionality for security: allowlists require maintenance as legitimate use cases evolve, disabling features may break user workflows, and restricting to authenticated users still leaves insider threat exposure. Vector store access credentials should follow least-privilege principles to limit blast radius if query injection succeeds.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25994
GHSA-qc4j-qjqx-vr58