Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
3Blast Radius
ecosystem impact- 2 maven packages depend on org.springframework.ai:spring-ai-milvus-store (1 direct, 1 indirect)
- 1 maven packages depend on org.springframework.ai:spring-ai-typesense-store (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.0.0 and other introduced versions.
DescriptionCVE.org
Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs. Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater.
AnalysisAI
Filter-expression injection in Spring AI's MilvusVectorStore allows remote unauthenticated attackers to manipulate vector database queries by injecting malicious filter expressions through unsanitized document IDs. Affects Spring AI 1.0.0-1.0.6 and 1.1.0-1.1.5. VMware has released patches in versions 1.0.7 and 1.1.6. CVSS 8.6 (High) with network attack vector and no privileges required. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.
Technical ContextAI
Spring AI is VMware's application framework for building AI-powered applications in Java, providing abstractions for vector databases and large language models. The vulnerability exists in the MilvusVectorStore component, which interfaces with Milvus vector databases for similarity search and retrieval-augmented generation (RAG) workflows. The doDelete(List) method fails to sanitize document IDs before incorporating them into filter expressions sent to the Milvus database. This is a CWE-917 (Expression Language Injection) vulnerability where attacker-controlled data is interpreted as executable filter logic rather than literal identifiers. The affected CPE (cpe:2.3:a:spring:spring_ai) indicates this is specific to Spring AI's vector store implementations, not the broader Spring Framework ecosystem.
RemediationAI
Upgrade to Spring AI 1.0.7 or later for the 1.0.x branch, or upgrade to Spring AI 1.1.6 or later for the 1.1.x branch, as specified in VMware's security advisory at https://spring.io/security/cve-2026-41705. The patched versions implement proper input sanitization in the MilvusVectorStore doDelete method to prevent filter-expression injection. If immediate patching is not feasible, implement strict input validation on document IDs before passing them to vector store delete operations-specifically, whitelist alphanumeric characters and reject any IDs containing Milvus filter expression metacharacters (parentheses, logical operators, comparison operators). This workaround may break legitimate use cases requiring special characters in document identifiers and should be tested thoroughly. Additionally, apply principle of least privilege to Milvus database credentials used by Spring AI to limit blast radius of successful injection attacks-restrict delete permissions where possible and isolate vector store collections by trust boundary.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28875
GHSA-v632-2m87-7469