CVE-2026-40978
Published: 28 April 2026
Summary
CVE-2026-40978 is a high-severity SQL Injection (CWE-89) vulnerability in Vmware Spring Ai. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as NLP and Transformers; in the Data-Related Vulnerabilities risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-40978 is a SQL injection vulnerability (CWE-89) in Spring AI's CosmosDBVectorStore component, enabling attackers to execute arbitrary SQL queries via crafted document IDs. It affects Spring AI versions 1.0.0 through 1.0.5 and 1.1.0 through 1.1.4, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on 2026-04-28T09:16:16.583.
The attack requires low privileges (PR:L) and is exploitable over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). An attacker with low-privilege access to the application can supply malicious document IDs to the CosmosDBVectorStore, injecting and executing arbitrary SQL queries against the underlying CosmosDB instance. This can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), such as data exfiltration, modification, or denial of service.
The Spring security advisory at https://spring.io/security/cve-2026-40978 provides full details. The vulnerability is addressed in Spring AI 1.0.6 and 1.1.5; practitioners should upgrade to these or later versions to mitigate the issue.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26011
Vulnerability details
SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
- CWE(s)
AI Security AnalysisAI
- AI Category
- NLP and Transformers
- Risk Domain
- Data-Related Vulnerabilities
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in network-accessible Spring AI component (AV:N/PR:L) directly enables T1190 for exploiting public-facing apps and T1213.006 for arbitrary queries against the CosmosDB database instance.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by validating and sanitizing untrusted document IDs before execution in CosmosDBVectorStore queries.
Remediates the specific SQL injection flaw by identifying and patching vulnerable Spring AI versions to versions 1.0.6 or 1.1.5.
Restricts document ID inputs to organization-defined safe formats, blocking malformed payloads that enable SQL injection.