Cyber Resilience

CVE-2026-40967

HighRCE

Published: 28 April 2026

Published
28 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0039 31.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40967 is a high-severity Code Injection (CWE-94) vulnerability in Vmware Spring Ai. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40967 is a code injection vulnerability (CWE-94) in Spring AI's FilterExpressionConverter implementations, which accept filter expression objects and translate them into specific vector store query languages. In affected versions, keys and values are not properly escaped, enabling attackers to alter the resulting queries. The vulnerability impacts Spring AI versions 1.0.0 through 1.0.5 and 1.1.0 through 1.1.4, with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity by submitting malicious filter expressions through application interfaces that use the affected converters. Successful exploitation allows query alteration in vector stores, potentially leading to high confidentiality impacts such as unauthorized data access, alongside low integrity and availability effects.

The Spring security advisory at https://spring.io/security/cve-2026-40967 details the issue and confirms fixes in Spring AI 1.0.6 and 1.1.5, recommending immediate upgrades for affected deployments.

This vulnerability is particularly relevant in AI/ML contexts, as Spring AI integrates with vector stores commonly used for embedding-based retrieval and generation workflows. No public evidence of real-world exploitation has been reported.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query. Affected versions:…

more

Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated code/query injection in public-facing Spring AI application enabling unauthorized data access in vector stores.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22738Same product: Vmware Spring Ai
CVE-2026-41705Same product: Vmware Spring Ai
CVE-2026-22729Same product: Vmware Spring Ai
CVE-2026-22744Same product: Vmware Spring Ai
CVE-2026-22730Same product: Vmware Spring Ai
CVE-2026-22742Same product: Vmware Spring Ai
CVE-2026-40978Same product: Vmware Spring Ai
CVE-2026-22743Same product: Vmware Spring Ai
CVE-2026-41713Same product: Vmware Spring Ai
CVE-2026-41712Same product: Vmware Spring Ai

Affected Assets

vmware
spring ai
1.0.0 — 1.0.6 · 1.1.0 — 1.1.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the code injection vulnerability by requiring timely identification, reporting, and patching of the unescaped filter expressions in affected Spring AI versions 1.0.0-1.0.5 and 1.1.0-1.1.4.

prevent

Prevents query alteration by enforcing validation and sanitization of filter expression keys and values before they are processed by FilterExpressionConverter implementations.

detect

Enables detection of CVE-2026-40967 through regular vulnerability scanning of Spring AI components in the environment.

References