Search criteria
28 vulnerabilities found for spring_ai by vmware
CVE-2026-41713 (GCVE-0-2026-41713)
Vulnerability from nvd – Published: 2026-05-12 10:17 – Updated: 2026-05-12 12:11
VLAI?
Title
Prompt Injection via Memory Poisoning in PromptChatMemoryAdvisor
Summary
A malicious user could craft input that is stored in conversation memory and later interpreted by the model in an unintended way. Applications using the affected advisor with user-controlled input may be susceptible to manipulation of model behavior across conversation turns.
Severity ?
8.2 (High)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
2 references
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T12:11:07.556751Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:11:27.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "VMware",
"versions": [
{
"lessThan": "1.0.7",
"status": "affected",
"version": "1.0.0",
"versionType": "oss"
},
{
"lessThan": "1.1.6",
"status": "affected",
"version": "1.1.0",
"versionType": "oss"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ahmed Sekka (GitHub: https://github.com/ahmed-sekka )"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA malicious user could craft input that is stored in conversation memory and later interpreted by the model in an unintended way. Applications using the affected advisor with user-controlled input may be susceptible to manipulation of model behavior across conversation turns.\u003c/p\u003e"
}
],
"value": "A malicious user could craft input that is stored in conversation memory and later interpreted by the model in an unintended way. Applications using the affected advisor with user-controlled input may be susceptible to manipulation of model behavior across conversation turns."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T10:19:26.231Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-41713"
},
{
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N\u0026version=3.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Prompt Injection via Memory Poisoning in PromptChatMemoryAdvisor",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-41713",
"datePublished": "2026-05-12T10:17:39.094Z",
"dateReserved": "2026-04-22T06:21:34.490Z",
"dateUpdated": "2026-05-12T12:11:27.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41712 (GCVE-0-2026-41712)
Vulnerability from nvd – Published: 2026-05-12 10:17 – Updated: 2026-05-12 12:14
VLAI?
Title
ChatMemory DEFAULT_CONVERSATION_ID causes unintended cross-user data leakage
Summary
Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users.
Severity ?
7.5 (High)
Assigner
References
2 references
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T12:13:06.957308Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:14:22.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "VMware",
"versions": [
{
"lessThan": "1.0.7",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
},
{
"lessThan": "1.1.6",
"status": "affected",
"version": "1.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ahmed Sekka (GitHub: https://github.com/ahmed-sekka ); sharlongwen"
}
],
"descriptions": [
{
"lang": "en",
"value": "Spring AI\u0027s chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T10:17:36.399Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-41712"
},
{
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\u0026version=3.1"
}
],
"title": "ChatMemory DEFAULT_CONVERSATION_ID causes unintended cross-user data leakage"
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-41712",
"datePublished": "2026-05-12T10:17:36.399Z",
"dateReserved": "2026-04-22T06:21:34.490Z",
"dateUpdated": "2026-05-12T12:14:22.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41705 (GCVE-0-2026-41705)
Vulnerability from nvd – Published: 2026-05-09 00:34 – Updated: 2026-05-11 14:38
VLAI?
Summary
Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs.
Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater.
Severity ?
8.6 (High)
CWE
- CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41705",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T14:38:20.299949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T14:38:29.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.7",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.6",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Spring AI\u0027s MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs.\nSpring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater."
}
],
"value": "Spring AI\u0027s MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs.\nSpring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated remote attacker can inject filter expressions via unsanitized document IDs in MilvusVectorStore#doDelete to destroy stored vector data and expose sensitive information."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T00:34:17.870Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-41705"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-41705",
"datePublished": "2026-05-09T00:34:17.870Z",
"dateReserved": "2026-04-22T06:21:34.489Z",
"dateUpdated": "2026-05-11T14:38:29.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40980 (GCVE-0-2026-40980)
Vulnerability from nvd – Published: 2026-04-28 07:31 – Updated: 2026-04-28 12:32
VLAI?
Summary
In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`.
Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Severity ?
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40980",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T12:32:31.966033Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T12:32:40.140Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.6",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.5",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by \u003ccode\u003eForkPDFLayoutTextStripper\u003c/code\u003e.\u003cbr\u003e\u003cbr\u003eAffected versions:\u003cbr\u003eSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"
}
],
"value": "In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`.\n\nAffected versions:\nSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A crafted PDF can trigger excessive memory allocation (OOM), with high availability impact and no confidentiality or integrity impact per CVSS v3.1."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T07:31:24.041Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-40980"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-40980",
"datePublished": "2026-04-28T07:31:24.041Z",
"dateReserved": "2026-04-16T02:19:04.616Z",
"dateUpdated": "2026-04-28T12:32:40.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40979 (GCVE-0-2026-40979)
Vulnerability from nvd – Published: 2026-04-28 07:31 – Updated: 2026-04-28 12:33
VLAI?
Summary
In Spring AI, having access to a shared environment can expose the ONNX model used by the application.
Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Severity ?
6.1 (Medium)
CWE
- CWE-377 - Insecure Temporary File
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40979",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T12:32:58.677891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T12:33:07.977Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.6",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.5",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Spring AI, having access to a shared environment can expose the ONNX model used by the application.\u003cbr\u003e\u003cbr\u003eAffected versions:\u003cbr\u003eSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"
}
],
"value": "In Spring AI, having access to a shared environment can expose the ONNX model used by the application.\n\nAffected versions:\nSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Shared environments can expose the ONNX model cache due to world-writable, predictable paths under /tmp; CVSS v3.1 indicates low confidentiality and high integrity impact."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-377",
"description": "CWE-377: Insecure Temporary File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T07:31:21.447Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-40979"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-40979",
"datePublished": "2026-04-28T07:31:21.447Z",
"dateReserved": "2026-04-16T02:19:04.616Z",
"dateUpdated": "2026-04-28T12:33:07.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40978 (GCVE-0-2026-40978)
Vulnerability from nvd – Published: 2026-04-28 07:18 – Updated: 2026-04-29 03:55
VLAI?
Summary
SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs.
Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40978",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T03:55:35.548Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.6",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.5",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL injection vulnerability in Spring AI\u0027s \u003ccode\u003eCosmosDBVectorStore\u003c/code\u003e allows attackers to execute arbitrary SQL queries via crafted document IDs.\u003cbr\u003e\u003cbr\u003eAffected versions:\u003cbr\u003eSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"
}
],
"value": "SQL injection vulnerability in Spring AI\u0027s `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs.\n\nAffected versions:\nSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Allows execution of arbitrary SQL via crafted document IDs, with high impact to confidentiality, integrity, and availability per CVSS v3.1."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T07:18:53.774Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-40978"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-40978",
"datePublished": "2026-04-28T07:18:53.774Z",
"dateReserved": "2026-04-16T02:19:04.616Z",
"dateUpdated": "2026-04-29T03:55:35.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40966 (GCVE-0-2026-40966)
Vulnerability from nvd – Published: 2026-04-28 06:42 – Updated: 2026-04-28 13:37
VLAI?
Title
VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration
Summary
In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.
Severity ?
5.9 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
2 references
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40966",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T13:18:57.595874Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T13:37:35.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "VMware",
"versions": [
{
"lessThan": "1.0.6",
"status": "affected",
"version": "1.0.0",
"versionType": "OSS"
},
{
"lessThan": "1.1.5",
"status": "affected",
"version": "1.1.0",
"versionType": "oss"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jinyeong Seol Seol-JY; Cantina\u0027s AppSec agent, Apex ( https://www.cantina.security )"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users\u2019 chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.\u003c/p\u003e"
}
],
"value": "In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users\u2019 chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T06:49:32.025Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-40966"
},
{
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1\u0026vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-40966",
"datePublished": "2026-04-28T06:42:36.619Z",
"dateReserved": "2026-04-16T02:18:56.133Z",
"dateUpdated": "2026-04-28T13:37:35.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40967 (GCVE-0-2026-40967)
Vulnerability from nvd – Published: 2026-04-28 06:03 – Updated: 2026-04-29 13:29
VLAI?
Summary
In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query.
Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Severity ?
8.6 (High)
CWE
- CWE-94 - Improper Control of Generation of Code
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40967",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T03:55:37.906349Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T13:29:47.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.6",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.5",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query.\u003cbr\u003e\u003cbr\u003eAffected versions:\u003cbr\u003eSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"
}
],
"value": "In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query.\n\nAffected versions:\nSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T07:06:12.153Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-40967"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-40967",
"datePublished": "2026-04-28T06:03:51.857Z",
"dateReserved": "2026-04-16T02:18:56.133Z",
"dateUpdated": "2026-04-29T13:29:47.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22744 (GCVE-0-2026-22744)
Vulnerability from nvd – Published: 2026-03-27 05:38 – Updated: 2026-03-27 19:39
VLAI?
Summary
In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field, stringValue() inserts the value directly into the @field:{VALUE} RediSearch TAG block without escaping characters.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
Severity ?
7.5 (High)
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22744",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T19:24:06.429869Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T19:39:20.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.4",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ccode\u003eIn\u0026nbsp;RedisFilterExpressionConverter\u003c/code\u003e\u0026nbsp;of\u0026nbsp;\u003ccode\u003espring-ai-redis-store\u003c/code\u003e, when a user-controlled string is passed as a filter value for a TAG field,\u0026nbsp;\u003ccode\u003estringValue()\u003c/code\u003e\u0026nbsp;inserts the value directly into the\u0026nbsp;\u003ccode\u003e@field:{VALUE}\u003c/code\u003e\u0026nbsp;RediSearch TAG block without escaping characters.\u003cp\u003eThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.\u003c/p\u003e"
}
],
"value": "In\u00a0RedisFilterExpressionConverter\u00a0of\u00a0spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field,\u00a0stringValue()\u00a0inserts the value directly into the\u00a0@field:{VALUE}\u00a0RediSearch TAG block without escaping characters.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T05:38:59.633Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-22744"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22744",
"datePublished": "2026-03-27T05:38:59.633Z",
"dateReserved": "2026-01-09T06:54:49.675Z",
"dateUpdated": "2026-03-27T19:39:20.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22743 (GCVE-0-2026-22743)
Vulnerability from nvd – Published: 2026-03-27 05:33 – Updated: 2026-03-27 19:38
VLAI?
Title
Server-Side Request Forgery via Filter Expression Keys in Neo4jVectorStore
Summary
Spring AI's spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in Neo4jVectorFilterExpressionConverter of spring-ai-neo4j-store, doKey() embeds the key into a backtick-delimited Cypher property accessor (node.`metadata.`) after stripping only double quotes, without escaping embedded backticks.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
Severity ?
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T19:38:40.716545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T19:38:58.544Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.4",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Spring AI\u0027s\u0026nbsp;\u003ccode\u003espring-ai-neo4j-store\u003c/code\u003e\u0026nbsp;contains a Cypher injection vulnerability in\u0026nbsp;\u003ccode\u003eNeo4jVectorFilterExpressionConverter\u003c/code\u003e. When a user-controlled string is passed as a filter expression key in\u0026nbsp;\u003ccode\u003eNeo4jVectorFilterExpressionConverter\u003c/code\u003e\u0026nbsp;of\u0026nbsp;\u003ccode\u003espring-ai-neo4j-store\u003c/code\u003e,\u0026nbsp;\u003ccode\u003edoKey()\u003c/code\u003e\u0026nbsp;embeds the key into a backtick-delimited Cypher property accessor (\u003ccode\u003enode.`metadata.`\u003c/code\u003e) after stripping only double quotes, without escaping embedded backticks.\u003cp\u003eThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.\u003c/p\u003e"
}
],
"value": "Spring AI\u0027s\u00a0spring-ai-neo4j-store\u00a0contains a Cypher injection vulnerability in\u00a0Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in\u00a0Neo4jVectorFilterExpressionConverter\u00a0of\u00a0spring-ai-neo4j-store,\u00a0doKey()\u00a0embeds the key into a backtick-delimited Cypher property accessor (node.`metadata.`) after stripping only double quotes, without escaping embedded backticks.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T05:33:20.872Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-22743"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery via Filter Expression Keys in Neo4jVectorStore",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22743",
"datePublished": "2026-03-27T05:33:20.872Z",
"dateReserved": "2026-01-09T06:54:49.675Z",
"dateUpdated": "2026-03-27T19:38:58.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22742 (GCVE-0-2026-22742)
Vulnerability from nvd – Published: 2026-03-27 05:27 – Updated: 2026-05-10 13:03
VLAI?
Title
Server-Side Request Forgery in BedrockProxyChatModel via Unvalidated Media URL Fetching
Summary
Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery (SSRF) vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal or external destinations.
This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
Severity ?
8.6 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T19:24:16.998653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T13:03:54.063Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.4",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ccode\u003eSpring AI\u0027s spring-ai-bedrock-converse\u003c/code\u003e\u0026nbsp;contains a Server-Side Request Forgery (SSRF) vulnerability in\u0026nbsp;\u003ccode\u003eBedrockProxyChatModel\u003c/code\u003e\u0026nbsp;when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal or external destinations.\u003cbr\u003e\u003cp\u003eThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.\u003c/p\u003e"
}
],
"value": "Spring AI\u0027s spring-ai-bedrock-converse\u00a0contains a Server-Side Request Forgery (SSRF) vulnerability in\u00a0BedrockProxyChatModel\u00a0when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal or external destinations.\nThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T05:27:41.165Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-22742"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery in BedrockProxyChatModel via Unvalidated Media URL Fetching",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22742",
"datePublished": "2026-03-27T05:27:41.165Z",
"dateReserved": "2026-01-09T06:54:49.675Z",
"dateUpdated": "2026-05-10T13:03:54.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22738 (GCVE-0-2026-22738)
Vulnerability from nvd – Published: 2026-03-27 05:21 – Updated: 2026-05-10 13:04
VLAI?
Title
SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution
Summary
In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected.
This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
Severity ?
9.8 (Critical)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22738",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-28T03:55:48.325602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T13:04:38.045Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.4",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Spring AI, a SpEL injection vulnerability exists in\u0026nbsp;\u003ccode\u003eSimpleVectorStore\u003c/code\u003e\u0026nbsp;when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code.\u0026nbsp;\u003cspan\u003eOnly applications that use\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003ccode\u003eSimpleVectorStore\u003c/code\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003eand pass user-supplied input as a filter expression key are affected.\u003cbr\u003e\u003c/span\u003e\u003cspan\u003eThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "In Spring AI, a SpEL injection vulnerability exists in\u00a0SimpleVectorStore\u00a0when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code.\u00a0Only applications that use\u00a0SimpleVectorStore\u00a0and pass user-supplied input as a filter expression key are affected.\nThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T05:21:07.168Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-22738"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22738",
"datePublished": "2026-03-27T05:21:07.168Z",
"dateReserved": "2026-01-09T06:54:49.675Z",
"dateUpdated": "2026-05-10T13:04:38.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22730 (GCVE-0-2026-22730)
Vulnerability from nvd – Published: 2026-03-18 07:36 – Updated: 2026-03-19 03:55
VLAI?
Title
CVE-2026-22730: SQL Injection in Spring AI MariaDBFilterExpressionConverter
Summary
A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands.
The vulnerability exists due to missing input sanitization.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
Impacted products
Date Public ?
2026-03-17 07:32
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22730",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-18T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T03:55:21.545Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Spring AI",
"product": "Spring AI",
"vendor": "VMware",
"versions": [
{
"lessThan": "1.0.4",
"status": "affected",
"version": "1.0.x",
"versionType": "OSS"
},
{
"lessThan": "1.1.3",
"status": "affected",
"version": "1.1.x",
"versionType": "oss"
}
]
}
],
"datePublic": "2026-03-17T07:32:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA critical SQL injection vulnerability in Spring AI\u0027s MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands.\u003c/p\u003e\u003cp\u003eThe vulnerability exists due to missing input sanitization.\u003c/p\u003e"
}
],
"value": "A critical SQL injection vulnerability in Spring AI\u0027s MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands.\n\nThe vulnerability exists due to missing input sanitization."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T07:36:30.533Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-22730"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-22730: SQL Injection in Spring AI MariaDBFilterExpressionConverter",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22730",
"datePublished": "2026-03-18T07:36:30.533Z",
"dateReserved": "2026-01-09T06:54:41.498Z",
"dateUpdated": "2026-03-19T03:55:21.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22729 (GCVE-0-2026-22729)
Vulnerability from nvd – Published: 2026-03-18 07:39 – Updated: 2026-03-18 15:35
VLAI?
Title
CVE-2026-22729: JSONPath Injection in Spring AI Vector Stores FilterExpressionConverter
Summary
A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents.
This vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata.
The vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like ", ||, and && are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics.
Severity ?
8.6 (High)
CWE
- CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Assigner
References
1 reference
Impacted products
Date Public ?
2026-03-17 07:32
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22729",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-18T14:50:07.381087Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T15:35:10.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Spring AI",
"product": "Spring AI",
"vendor": "VMware",
"versions": [
{
"lessThan": "1.0.4",
"status": "affected",
"version": "1.0.x",
"versionType": "OSS"
},
{
"lessThan": "1.1.3",
"status": "affected",
"version": "1.1.x",
"versionType": "oss"
}
]
}
],
"datePublic": "2026-03-17T07:32:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA JSONPath injection vulnerability in Spring AI\u0027s AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents.\u003c/p\u003e\u003cp\u003eThis vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata.\u003c/p\u003e\u003cp\u003eThe vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like\u0026nbsp;\u003ccode\u003e\"\u003c/code\u003e,\u0026nbsp;\u003ccode\u003e||\u003c/code\u003e, and\u0026nbsp;\u003ccode\u003e\u0026amp;\u0026amp;\u003c/code\u003e\u0026nbsp;are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics.\u003c/p\u003e"
}
],
"value": "A JSONPath injection vulnerability in Spring AI\u0027s AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents.\n\nThis vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata.\n\nThe vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like\u00a0\",\u00a0||, and\u00a0\u0026\u0026\u00a0are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T07:39:56.739Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-22729"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-22729: JSONPath Injection in Spring AI Vector Stores FilterExpressionConverter",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22729",
"datePublished": "2026-03-18T07:39:56.739Z",
"dateReserved": "2026-01-09T06:54:41.497Z",
"dateUpdated": "2026-03-18T15:35:10.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41713 (GCVE-0-2026-41713)
Vulnerability from cvelistv5 – Published: 2026-05-12 10:17 – Updated: 2026-05-12 12:11
VLAI?
Title
Prompt Injection via Memory Poisoning in PromptChatMemoryAdvisor
Summary
A malicious user could craft input that is stored in conversation memory and later interpreted by the model in an unintended way. Applications using the affected advisor with user-controlled input may be susceptible to manipulation of model behavior across conversation turns.
Severity ?
8.2 (High)
CWE
- CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine
Assigner
References
2 references
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T12:11:07.556751Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:11:27.971Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "VMware",
"versions": [
{
"lessThan": "1.0.7",
"status": "affected",
"version": "1.0.0",
"versionType": "oss"
},
{
"lessThan": "1.1.6",
"status": "affected",
"version": "1.1.0",
"versionType": "oss"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ahmed Sekka (GitHub: https://github.com/ahmed-sekka )"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA malicious user could craft input that is stored in conversation memory and later interpreted by the model in an unintended way. Applications using the affected advisor with user-controlled input may be susceptible to manipulation of model behavior across conversation turns.\u003c/p\u003e"
}
],
"value": "A malicious user could craft input that is stored in conversation memory and later interpreted by the model in an unintended way. Applications using the affected advisor with user-controlled input may be susceptible to manipulation of model behavior across conversation turns."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T10:19:26.231Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-41713"
},
{
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N\u0026version=3.1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Prompt Injection via Memory Poisoning in PromptChatMemoryAdvisor",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-41713",
"datePublished": "2026-05-12T10:17:39.094Z",
"dateReserved": "2026-04-22T06:21:34.490Z",
"dateUpdated": "2026-05-12T12:11:27.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41712 (GCVE-0-2026-41712)
Vulnerability from cvelistv5 – Published: 2026-05-12 10:17 – Updated: 2026-05-12 12:14
VLAI?
Title
ChatMemory DEFAULT_CONVERSATION_ID causes unintended cross-user data leakage
Summary
Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users.
Severity ?
7.5 (High)
Assigner
References
2 references
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T12:13:06.957308Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T12:14:22.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "VMware",
"versions": [
{
"lessThan": "1.0.7",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
},
{
"lessThan": "1.1.6",
"status": "affected",
"version": "1.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Ahmed Sekka (GitHub: https://github.com/ahmed-sekka ); sharlongwen"
}
],
"descriptions": [
{
"lang": "en",
"value": "Spring AI\u0027s chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T10:17:36.399Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-41712"
},
{
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\u0026version=3.1"
}
],
"title": "ChatMemory DEFAULT_CONVERSATION_ID causes unintended cross-user data leakage"
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-41712",
"datePublished": "2026-05-12T10:17:36.399Z",
"dateReserved": "2026-04-22T06:21:34.490Z",
"dateUpdated": "2026-05-12T12:14:22.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41705 (GCVE-0-2026-41705)
Vulnerability from cvelistv5 – Published: 2026-05-09 00:34 – Updated: 2026-05-11 14:38
VLAI?
Summary
Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs.
Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater.
Severity ?
8.6 (High)
CWE
- CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41705",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T14:38:20.299949Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T14:38:29.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.7",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.6",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Spring AI\u0027s MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs.\nSpring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater."
}
],
"value": "Spring AI\u0027s MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs.\nSpring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An unauthenticated remote attacker can inject filter expressions via unsanitized document IDs in MilvusVectorStore#doDelete to destroy stored vector data and expose sensitive information."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T00:34:17.870Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-41705"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-41705",
"datePublished": "2026-05-09T00:34:17.870Z",
"dateReserved": "2026-04-22T06:21:34.489Z",
"dateUpdated": "2026-05-11T14:38:29.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40980 (GCVE-0-2026-40980)
Vulnerability from cvelistv5 – Published: 2026-04-28 07:31 – Updated: 2026-04-28 12:32
VLAI?
Summary
In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`.
Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Severity ?
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40980",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T12:32:31.966033Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T12:32:40.140Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.6",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.5",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by \u003ccode\u003eForkPDFLayoutTextStripper\u003c/code\u003e.\u003cbr\u003e\u003cbr\u003eAffected versions:\u003cbr\u003eSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"
}
],
"value": "In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`.\n\nAffected versions:\nSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "A crafted PDF can trigger excessive memory allocation (OOM), with high availability impact and no confidentiality or integrity impact per CVSS v3.1."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T07:31:24.041Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-40980"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-40980",
"datePublished": "2026-04-28T07:31:24.041Z",
"dateReserved": "2026-04-16T02:19:04.616Z",
"dateUpdated": "2026-04-28T12:32:40.140Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40979 (GCVE-0-2026-40979)
Vulnerability from cvelistv5 – Published: 2026-04-28 07:31 – Updated: 2026-04-28 12:33
VLAI?
Summary
In Spring AI, having access to a shared environment can expose the ONNX model used by the application.
Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Severity ?
6.1 (Medium)
CWE
- CWE-377 - Insecure Temporary File
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40979",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T12:32:58.677891Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T12:33:07.977Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.6",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.5",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Spring AI, having access to a shared environment can expose the ONNX model used by the application.\u003cbr\u003e\u003cbr\u003eAffected versions:\u003cbr\u003eSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"
}
],
"value": "In Spring AI, having access to a shared environment can expose the ONNX model used by the application.\n\nAffected versions:\nSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Shared environments can expose the ONNX model cache due to world-writable, predictable paths under /tmp; CVSS v3.1 indicates low confidentiality and high integrity impact."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-377",
"description": "CWE-377: Insecure Temporary File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T07:31:21.447Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-40979"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-40979",
"datePublished": "2026-04-28T07:31:21.447Z",
"dateReserved": "2026-04-16T02:19:04.616Z",
"dateUpdated": "2026-04-28T12:33:07.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40978 (GCVE-0-2026-40978)
Vulnerability from cvelistv5 – Published: 2026-04-28 07:18 – Updated: 2026-04-29 03:55
VLAI?
Summary
SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs.
Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40978",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T03:55:35.548Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.6",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.5",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL injection vulnerability in Spring AI\u0027s \u003ccode\u003eCosmosDBVectorStore\u003c/code\u003e allows attackers to execute arbitrary SQL queries via crafted document IDs.\u003cbr\u003e\u003cbr\u003eAffected versions:\u003cbr\u003eSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"
}
],
"value": "SQL injection vulnerability in Spring AI\u0027s `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs.\n\nAffected versions:\nSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Allows execution of arbitrary SQL via crafted document IDs, with high impact to confidentiality, integrity, and availability per CVSS v3.1."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T07:18:53.774Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-40978"
}
],
"source": {
"discovery": "UNKNOWN"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-40978",
"datePublished": "2026-04-28T07:18:53.774Z",
"dateReserved": "2026-04-16T02:19:04.616Z",
"dateUpdated": "2026-04-29T03:55:35.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40966 (GCVE-0-2026-40966)
Vulnerability from cvelistv5 – Published: 2026-04-28 06:42 – Updated: 2026-04-28 13:37
VLAI?
Title
VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration
Summary
In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.
Severity ?
5.9 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
2 references
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40966",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T13:18:57.595874Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T13:37:35.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "VMware",
"versions": [
{
"lessThan": "1.0.6",
"status": "affected",
"version": "1.0.0",
"versionType": "OSS"
},
{
"lessThan": "1.1.5",
"status": "affected",
"version": "1.1.0",
"versionType": "oss"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jinyeong Seol Seol-JY; Cantina\u0027s AppSec agent, Apex ( https://www.cantina.security )"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users\u2019 chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.\u003c/p\u003e"
}
],
"value": "In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users\u2019 chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T06:49:32.025Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-40966"
},
{
"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1\u0026vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-40966",
"datePublished": "2026-04-28T06:42:36.619Z",
"dateReserved": "2026-04-16T02:18:56.133Z",
"dateUpdated": "2026-04-28T13:37:35.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40967 (GCVE-0-2026-40967)
Vulnerability from cvelistv5 – Published: 2026-04-28 06:03 – Updated: 2026-04-29 13:29
VLAI?
Summary
In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query.
Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Severity ?
8.6 (High)
CWE
- CWE-94 - Improper Control of Generation of Code
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40967",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-29T03:55:37.906349Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T13:29:47.165Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.6",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.5",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query.\u003cbr\u003e\u003cbr\u003eAffected versions:\u003cbr\u003eSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"
}
],
"value": "In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query.\n\nAffected versions:\nSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T07:06:12.153Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-40967"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-40967",
"datePublished": "2026-04-28T06:03:51.857Z",
"dateReserved": "2026-04-16T02:18:56.133Z",
"dateUpdated": "2026-04-29T13:29:47.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22744 (GCVE-0-2026-22744)
Vulnerability from cvelistv5 – Published: 2026-03-27 05:38 – Updated: 2026-03-27 19:39
VLAI?
Summary
In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field, stringValue() inserts the value directly into the @field:{VALUE} RediSearch TAG block without escaping characters.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
Severity ?
7.5 (High)
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22744",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T19:24:06.429869Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T19:39:20.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.4",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ccode\u003eIn\u0026nbsp;RedisFilterExpressionConverter\u003c/code\u003e\u0026nbsp;of\u0026nbsp;\u003ccode\u003espring-ai-redis-store\u003c/code\u003e, when a user-controlled string is passed as a filter value for a TAG field,\u0026nbsp;\u003ccode\u003estringValue()\u003c/code\u003e\u0026nbsp;inserts the value directly into the\u0026nbsp;\u003ccode\u003e@field:{VALUE}\u003c/code\u003e\u0026nbsp;RediSearch TAG block without escaping characters.\u003cp\u003eThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.\u003c/p\u003e"
}
],
"value": "In\u00a0RedisFilterExpressionConverter\u00a0of\u00a0spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field,\u00a0stringValue()\u00a0inserts the value directly into the\u00a0@field:{VALUE}\u00a0RediSearch TAG block without escaping characters.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T05:38:59.633Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-22744"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22744",
"datePublished": "2026-03-27T05:38:59.633Z",
"dateReserved": "2026-01-09T06:54:49.675Z",
"dateUpdated": "2026-03-27T19:39:20.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22743 (GCVE-0-2026-22743)
Vulnerability from cvelistv5 – Published: 2026-03-27 05:33 – Updated: 2026-03-27 19:38
VLAI?
Title
Server-Side Request Forgery via Filter Expression Keys in Neo4jVectorStore
Summary
Spring AI's spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in Neo4jVectorFilterExpressionConverter of spring-ai-neo4j-store, doKey() embeds the key into a backtick-delimited Cypher property accessor (node.`metadata.`) after stripping only double quotes, without escaping embedded backticks.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
Severity ?
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T19:38:40.716545Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T19:38:58.544Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.4",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Spring AI\u0027s\u0026nbsp;\u003ccode\u003espring-ai-neo4j-store\u003c/code\u003e\u0026nbsp;contains a Cypher injection vulnerability in\u0026nbsp;\u003ccode\u003eNeo4jVectorFilterExpressionConverter\u003c/code\u003e. When a user-controlled string is passed as a filter expression key in\u0026nbsp;\u003ccode\u003eNeo4jVectorFilterExpressionConverter\u003c/code\u003e\u0026nbsp;of\u0026nbsp;\u003ccode\u003espring-ai-neo4j-store\u003c/code\u003e,\u0026nbsp;\u003ccode\u003edoKey()\u003c/code\u003e\u0026nbsp;embeds the key into a backtick-delimited Cypher property accessor (\u003ccode\u003enode.`metadata.`\u003c/code\u003e) after stripping only double quotes, without escaping embedded backticks.\u003cp\u003eThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.\u003c/p\u003e"
}
],
"value": "Spring AI\u0027s\u00a0spring-ai-neo4j-store\u00a0contains a Cypher injection vulnerability in\u00a0Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in\u00a0Neo4jVectorFilterExpressionConverter\u00a0of\u00a0spring-ai-neo4j-store,\u00a0doKey()\u00a0embeds the key into a backtick-delimited Cypher property accessor (node.`metadata.`) after stripping only double quotes, without escaping embedded backticks.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T05:33:20.872Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-22743"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery via Filter Expression Keys in Neo4jVectorStore",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22743",
"datePublished": "2026-03-27T05:33:20.872Z",
"dateReserved": "2026-01-09T06:54:49.675Z",
"dateUpdated": "2026-03-27T19:38:58.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22742 (GCVE-0-2026-22742)
Vulnerability from cvelistv5 – Published: 2026-03-27 05:27 – Updated: 2026-05-10 13:03
VLAI?
Title
Server-Side Request Forgery in BedrockProxyChatModel via Unvalidated Media URL Fetching
Summary
Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery (SSRF) vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal or external destinations.
This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
Severity ?
8.6 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T19:24:16.998653Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T13:03:54.063Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.4",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ccode\u003eSpring AI\u0027s spring-ai-bedrock-converse\u003c/code\u003e\u0026nbsp;contains a Server-Side Request Forgery (SSRF) vulnerability in\u0026nbsp;\u003ccode\u003eBedrockProxyChatModel\u003c/code\u003e\u0026nbsp;when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal or external destinations.\u003cbr\u003e\u003cp\u003eThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.\u003c/p\u003e"
}
],
"value": "Spring AI\u0027s spring-ai-bedrock-converse\u00a0contains a Server-Side Request Forgery (SSRF) vulnerability in\u00a0BedrockProxyChatModel\u00a0when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal or external destinations.\nThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T05:27:41.165Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-22742"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Server-Side Request Forgery in BedrockProxyChatModel via Unvalidated Media URL Fetching",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22742",
"datePublished": "2026-03-27T05:27:41.165Z",
"dateReserved": "2026-01-09T06:54:49.675Z",
"dateUpdated": "2026-05-10T13:03:54.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22738 (GCVE-0-2026-22738)
Vulnerability from cvelistv5 – Published: 2026-03-27 05:21 – Updated: 2026-05-10 13:04
VLAI?
Title
SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution
Summary
In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected.
This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
Severity ?
9.8 (Critical)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22738",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-28T03:55:48.325602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88 Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T13:04:38.045Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spring AI",
"vendor": "Spring",
"versions": [
{
"lessThan": "1.0.5",
"status": "affected",
"version": "1.0.0",
"versionType": "custom"
},
{
"lessThan": "1.1.4",
"status": "affected",
"version": "1.1.0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Spring AI, a SpEL injection vulnerability exists in\u0026nbsp;\u003ccode\u003eSimpleVectorStore\u003c/code\u003e\u0026nbsp;when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code.\u0026nbsp;\u003cspan\u003eOnly applications that use\u003c/span\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003ccode\u003eSimpleVectorStore\u003c/code\u003e\u003cspan\u003e\u0026nbsp;\u003c/span\u003e\u003cspan\u003eand pass user-supplied input as a filter expression key are affected.\u003cbr\u003e\u003c/span\u003e\u003cspan\u003eThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.\u003c/span\u003e\u003c/p\u003e"
}
],
"value": "In Spring AI, a SpEL injection vulnerability exists in\u00a0SimpleVectorStore\u00a0when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code.\u00a0Only applications that use\u00a0SimpleVectorStore\u00a0and pass user-supplied input as a filter expression key are affected.\nThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T05:21:07.168Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-22738"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SpEL Injection via Unescaped Filter Key in SimpleVectorStore Leads to Remote Code Execution",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22738",
"datePublished": "2026-03-27T05:21:07.168Z",
"dateReserved": "2026-01-09T06:54:49.675Z",
"dateUpdated": "2026-05-10T13:04:38.045Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22729 (GCVE-0-2026-22729)
Vulnerability from cvelistv5 – Published: 2026-03-18 07:39 – Updated: 2026-03-18 15:35
VLAI?
Title
CVE-2026-22729: JSONPath Injection in Spring AI Vector Stores FilterExpressionConverter
Summary
A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents.
This vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata.
The vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like ", ||, and && are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics.
Severity ?
8.6 (High)
CWE
- CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Assigner
References
1 reference
Impacted products
Date Public ?
2026-03-17 07:32
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22729",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-18T14:50:07.381087Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-917",
"description": "CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement (\u0027Expression Language Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T15:35:10.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Spring AI",
"product": "Spring AI",
"vendor": "VMware",
"versions": [
{
"lessThan": "1.0.4",
"status": "affected",
"version": "1.0.x",
"versionType": "OSS"
},
{
"lessThan": "1.1.3",
"status": "affected",
"version": "1.1.x",
"versionType": "oss"
}
]
}
],
"datePublic": "2026-03-17T07:32:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA JSONPath injection vulnerability in Spring AI\u0027s AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents.\u003c/p\u003e\u003cp\u003eThis vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata.\u003c/p\u003e\u003cp\u003eThe vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like\u0026nbsp;\u003ccode\u003e\"\u003c/code\u003e,\u0026nbsp;\u003ccode\u003e||\u003c/code\u003e, and\u0026nbsp;\u003ccode\u003e\u0026amp;\u0026amp;\u003c/code\u003e\u0026nbsp;are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics.\u003c/p\u003e"
}
],
"value": "A JSONPath injection vulnerability in Spring AI\u0027s AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents.\n\nThis vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata.\n\nThe vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like\u00a0\",\u00a0||, and\u00a0\u0026\u0026\u00a0are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T07:39:56.739Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-22729"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-22729: JSONPath Injection in Spring AI Vector Stores FilterExpressionConverter",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22729",
"datePublished": "2026-03-18T07:39:56.739Z",
"dateReserved": "2026-01-09T06:54:41.497Z",
"dateUpdated": "2026-03-18T15:35:10.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22730 (GCVE-0-2026-22730)
Vulnerability from cvelistv5 – Published: 2026-03-18 07:36 – Updated: 2026-03-19 03:55
VLAI?
Title
CVE-2026-22730: SQL Injection in Spring AI MariaDBFilterExpressionConverter
Summary
A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands.
The vulnerability exists due to missing input sanitization.
Severity ?
8.8 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
Impacted products
Date Public ?
2026-03-17 07:32
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22730",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-18T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T03:55:21.545Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"packageName": "Spring AI",
"product": "Spring AI",
"vendor": "VMware",
"versions": [
{
"lessThan": "1.0.4",
"status": "affected",
"version": "1.0.x",
"versionType": "OSS"
},
{
"lessThan": "1.1.3",
"status": "affected",
"version": "1.1.x",
"versionType": "oss"
}
]
}
],
"datePublic": "2026-03-17T07:32:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA critical SQL injection vulnerability in Spring AI\u0027s MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands.\u003c/p\u003e\u003cp\u003eThe vulnerability exists due to missing input sanitization.\u003c/p\u003e"
}
],
"value": "A critical SQL injection vulnerability in Spring AI\u0027s MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands.\n\nThe vulnerability exists due to missing input sanitization."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T07:36:30.533Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://spring.io/security/cve-2026-22730"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-22730: SQL Injection in Spring AI MariaDBFilterExpressionConverter",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2026-22730",
"datePublished": "2026-03-18T07:36:30.533Z",
"dateReserved": "2026-01-09T06:54:41.498Z",
"dateUpdated": "2026-03-19T03:55:21.545Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}