Skip to main content

Spring AI EUVD-2026-36796

| CVE-2026-47835 HIGH
Improper Neutralization of Special Elements in Data Query Logic (CWE-943)
2026-06-15 vmware GHSA-cmwh-w62w-r2mf
Nosql Injection Java Elastic Information Disclosure Spring Ai
8.6
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
vuln.today AI
8.6 HIGH

Remote network-exposed RAG endpoints accept untrusted input with no auth or interaction (AV:N/AC:L/PR:N/UI:N); injection yields full index reads (C:H) but only limited tampering and disruption (I:L/A:L).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 15, 2026 - 21:01 EUVD
Analysis Generated
Jun 15, 2026 - 19:55 vuln.today
CVE Published
Jun 15, 2026 - 18:54 cve.org
HIGH 8.6

DescriptionCVE.org

In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and GemFire VectorDB. Affected components: spring-ai-elasticsearch-store, spring-ai-opensearch-store, spring-ai-gemfire-store.

Affected versions: Spring AI 1.0.0 through 1.0.x (fix 1.0.9). Spring AI 1.1.0 through 1.1.x (fix 1.1.8).

Articles & Coverage 2

News 3 New Java Vulnerabilities - 3 High Severity Jun 16, 2026 News 3 New Java Vulnerabilities - 3 High Severity, No Public Exploits Jun 15, 2026

AnalysisAI

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers to inject special characters into vector-store inputs and force execution of arbitrary queries against Elasticsearch, OpenSearch, and GemFire VectorDB backends. The flaw resides in the spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store components, enabling information disclosure and limited integrity/availability impact against any application embedding Spring AI's vector-store abstraction. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Spring AI RAG endpoint
Delivery
Probe filter input with query metacharacters
Exploit
Inject crafted Elasticsearch/OpenSearch/GemFire query fragment
Execution
Backend executes attacker-controlled query
Impact
Exfiltrate vector-indexed documents and embeddings
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerable application must use Spring AI 1.0.0-1.0.8 or 1.1.0-1.1.7 with one of the spring-ai-elasticsearch-store, spring-ai-opensearch-store, or spring-ai-gemfire-store modules wired into a VectorStore bean, and it must pass attacker-influenced strings (chat input, search terms, or metadata filter values) into vector-store query or filter APIs without prior sanitization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Multiple signals converge on a genuinely elevated but not emergency risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker interacting with a public-facing RAG chatbot built on Spring AI crafts a prompt or metadata filter value containing special characters that break out of the intended Elasticsearch Query DSL fragment, causing the backend to execute an attacker-controlled query that returns documents outside the user's normal authorization scope - for example, dumping every embedded document in the index regardless of tenant filters. With no public PoC currently identified, exploitation requires the attacker to reverse-engineer the application's filter syntax, but the AC:L rating indicates this is straightforward once the injection point is observed.
Remediation Vendor-released patches are available: upgrade Spring AI to 1.0.9 (for the 1.0.x line) or 1.1.8 (for the 1.1.x line) as documented at https://spring.io/security/cve-2026-47835, ensuring any transitive dependency on spring-ai-elasticsearch-store, spring-ai-opensearch-store, or spring-ai-gemfire-store is pinned to the fixed versions. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Audit all applications and infrastructure to identify Spring AI deployments using versions 1.0.0-1.0.8 or 1.1.0-1.1.7. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-41699 CRITICAL
9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
CVE-2026-47825 HIGH
8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH
8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
CVE-2026-40998 HIGH
8.2 Jun 11

XML External Entity (XXE) exposure in Spring Web Services' Jaxp13XPathTemplate allows remote attackers to abuse XPath ev

Share

EUVD-2026-36796 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy