Skip to main content

Spring AI EUVDEUVD-2026-25994

| CVE-2026-40967 HIGH
Code Injection (CWE-94)
2026-04-28 vmware GHSA-qc4j-qjqx-vr58
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

9
Patch released
Apr 29, 2026 - 19:04 nvd
Patch available
Patch available
Apr 28, 2026 - 08:01 EUVD
Analysis Updated
Apr 28, 2026 - 07:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 28, 2026 - 07:22 vuln.today
cvss_changed
CVSS changed
Apr 28, 2026 - 07:22 NVD
8.2 (HIGH) 8.6 (HIGH)
Analysis Generated
Apr 28, 2026 - 06:45 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 06:30 euvd
EUVD-2026-25994
Analysis Generated
Apr 28, 2026 - 06:30 vuln.today
CVE Published
Apr 28, 2026 - 06:03 nvd
HIGH 8.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 162 maven packages depend on org.springframework.ai:spring-ai-vector-store (35 direct, 127 indirect)

Ecosystem-wide dependent count for version 1.0.0.

DescriptionCVE.org

In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query.

Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

AnalysisAI

Filter expression injection in Spring AI 1.0.0-1.0.5 and 1.1.0-1.1.4 allows remote unauthenticated attackers to manipulate vector store queries through unescaped keys and values in FilterExpressionConverter implementations. The vulnerability enables query language injection across multiple vector database backends, potentially exposing sensitive data (CVSS:C:H) and modifying query results (CVSS:I:L). VMware has released patches in versions 1.0.6 and 1.1.5. No active exploitation confirmed (not in CISA KEV), but the network-accessible attack vector (AV:N/AC:L/PR:N) and code injection classification (CWE-94) indicate significant risk for applications processing untrusted filter expressions.

Technical ContextAI

Spring AI is a framework for building AI-powered applications in Java, providing abstractions for vector databases and similarity search operations. The vulnerability affects FilterExpressionConverter implementations, which translate Spring AI's filter expression objects into vendor-specific query languages for vector stores (e.g., Pinecone, Weaviate, Milvus, ChromaDB). CWE-94 (Improper Control of Generation of Code/Code Injection) indicates that user-controlled input is incorporated into dynamically constructed queries without proper sanitization. When filter expression keys and values are not escaped during translation to the target vector store's query syntax, attackers can inject additional query commands, operators, or logic similar to SQL injection but targeting vector database query languages. The affected CPE cpe:2.3:a:spring:spring_ai confirms this is a core Spring AI framework vulnerability, not limited to a single vector store backend.

RemediationAI

Upgrade to Spring AI 1.0.6 if running 1.0.x versions, or upgrade to Spring AI 1.1.5 if running 1.1.x versions, as confirmed by VMware in the security advisory at https://spring.io/security/cve-2026-40967. Review application code to identify all locations where filter expressions are constructed from user input or external sources, then apply strict input validation on filter expression keys and values before passing to FilterExpressionConverter implementations. If immediate patching is not feasible, implement compensating controls: restrict filter expression functionality to authenticated trusted users only (reduces PR:N to PR:L/H), enforce allowlists for permitted filter keys and operators (blocks injection attempts), or disable dynamic filter expression features entirely until patching completes (eliminates attack surface but may impact application functionality). Each workaround trades functionality for security: allowlists require maintenance as legitimate use cases evolve, disabling features may break user workflows, and restricting to authenticated users still leaves insider threat exposure. Vector store access credentials should follow least-privilege principles to limit blast radius if query injection succeeds.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

EUVD-2026-25994 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy