CVE-2026-40967
Published: 28 April 2026
Summary
CVE-2026-40967 is a high-severity Code Injection (CWE-94) vulnerability in Vmware Spring Ai. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as NLP and Transformers; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-40967 is a code injection vulnerability (CWE-94) in Spring AI's FilterExpressionConverter implementations, which accept filter expression objects and translate them into specific vector store query languages. In affected versions, keys and values are not properly escaped, enabling attackers to alter the resulting queries. The vulnerability impacts Spring AI versions 1.0.0 through 1.0.5 and 1.1.0 through 1.1.4, with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity by submitting malicious filter expressions through application interfaces that use the affected converters. Successful exploitation allows query alteration in vector stores, potentially leading to high confidentiality impacts such as unauthorized data access, alongside low integrity and availability effects.
The Spring security advisory at https://spring.io/security/cve-2026-40967 details the issue and confirms fixes in Spring AI 1.0.6 and 1.1.5, recommending immediate upgrades for affected deployments.
This vulnerability is particularly relevant in AI/ML contexts, as Spring AI integrates with vector stores commonly used for embedding-based retrieval and generation workflows. No public evidence of real-world exploitation has been reported.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25994
Vulnerability details
In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query. Affected versions:…
more
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated code/query injection in public-facing Spring AI application enabling unauthorized data access in vector stores.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the code injection vulnerability by requiring timely identification, reporting, and patching of the unescaped filter expressions in affected Spring AI versions 1.0.0-1.0.5 and 1.1.0-1.1.4.
Prevents query alteration by enforcing validation and sanitization of filter expression keys and values before they are processed by FilterExpressionConverter implementations.
Enables detection of CVE-2026-40967 through regular vulnerability scanning of Spring AI components in the environment.