Cyber Resilience

CVE-2026-40978

High

Published: 28 April 2026

Published
28 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0034 25.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40978 is a high-severity SQL Injection (CWE-89) vulnerability in Vmware Spring Ai. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Data-Related Vulnerabilities risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40978 is a SQL injection vulnerability (CWE-89) in Spring AI's CosmosDBVectorStore component, enabling attackers to execute arbitrary SQL queries via crafted document IDs. It affects Spring AI versions 1.0.0 through 1.0.5 and 1.1.0 through 1.1.4, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability was published on 2026-04-28T09:16:16.583.

The attack requires low privileges (PR:L) and is exploitable over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). An attacker with low-privilege access to the application can supply malicious document IDs to the CosmosDBVectorStore, injecting and executing arbitrary SQL queries against the underlying CosmosDB instance. This can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), such as data exfiltration, modification, or denial of service.

The Spring security advisory at https://spring.io/security/cve-2026-40978 provides full details. The vulnerability is addressed in Spring AI 1.0.6 and 1.1.5; practitioners should upgrade to these or later versions to mitigate the issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Data-Related Vulnerabilities
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in network-accessible Spring AI component (AV:N/PR:L) directly enables T1190 for exploiting public-facing apps and T1213.006 for arbitrary queries against the CosmosDB database instance.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22743Same product: Vmware Spring Ai
CVE-2026-22730Same product: Vmware Spring Ai
CVE-2026-41705Same product: Vmware Spring Ai
CVE-2026-22744Same product: Vmware Spring Ai
CVE-2026-40967Same product: Vmware Spring Ai
CVE-2026-22738Same product: Vmware Spring Ai
CVE-2026-22729Same product: Vmware Spring Ai
CVE-2026-22742Same product: Vmware Spring Ai
CVE-2026-41712Same product: Vmware Spring Ai
CVE-2026-41713Same product: Vmware Spring Ai

Affected Assets

vmware
spring ai
1.0.0 — 1.0.6 · 1.1.0 — 1.1.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by validating and sanitizing untrusted document IDs before execution in CosmosDBVectorStore queries.

prevent

Remediates the specific SQL injection flaw by identifying and patching vulnerable Spring AI versions to versions 1.0.6 or 1.1.5.

prevent

Restricts document ID inputs to organization-defined safe formats, blocking malformed payloads that enable SQL injection.

References