CVE-2026-40967
Published: 28 April 2026
Summary
CVE-2026-40967 is a high-severity Code Injection (CWE-94) vulnerability in Vmware Spring Ai. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the code injection vulnerability by requiring timely identification, reporting, and patching of the unescaped filter expressions in affected Spring AI versions 1.0.0-1.0.5 and 1.1.0-1.1.4.
Prevents query alteration by enforcing validation and sanitization of filter expression keys and values before they are processed by FilterExpressionConverter implementations.
Enables detection of CVE-2026-40967 through regular vulnerability scanning of Spring AI components in the environment.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated code/query injection in public-facing Spring AI application enabling unauthorized data access in vector stores.
NVD Description
In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query. Affected versions:…
more
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Deeper analysisAI
CVE-2026-40967 is a code injection vulnerability (CWE-94) in Spring AI's FilterExpressionConverter implementations, which accept filter expression objects and translate them into specific vector store query languages. In affected versions, keys and values are not properly escaped, enabling attackers to alter the resulting queries. The vulnerability impacts Spring AI versions 1.0.0 through 1.0.5 and 1.1.0 through 1.1.4, with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity by submitting malicious filter expressions through application interfaces that use the affected converters. Successful exploitation allows query alteration in vector stores, potentially leading to high confidentiality impacts such as unauthorized data access, alongside low integrity and availability effects.
The Spring security advisory at https://spring.io/security/cve-2026-40967 details the issue and confirms fixes in Spring AI 1.0.6 and 1.1.5, recommending immediate upgrades for affected deployments.
This vulnerability is particularly relevant in AI/ML contexts, as Spring AI integrates with vector stores commonly used for embedding-based retrieval and generation workflows. No public evidence of real-world exploitation has been reported.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, ai