CVE-2026-40967

// POC Concept for CVE-2026-40967 // Demonstrates how unsanitized input can alter a vector store query. import org.springframework.ai.vectorstore.filter.FilterExpressionBuilder; import org.springframework.ai.vectorstore.filter.Filter; public class CVE202640967PoC { public static void main(String[] args) { FilterExpressionBuilder builder = new FilterExpressionBuilder(); // Scenario: User input is taken directly to filter documents by 'author' String userInput = "admin'; /* Malicious injection */ return true; //"; // Vulnerable construction: The converter takes userInput as a literal value // but fails to escape quotes or special characters if the underlying query // language (e.g., a specific SQL-like or JSON-like vector dialect) interprets them. // If the filter is built like: builder.eq("author", userInput) // And the backend converts this to a string query without escaping: // Resulting Query (Hypothetical): { "author": "admin'; return true; //" } // In some contexts, this might break out of the value context and execute logic. System.out.println("Constructed Filter with User Input: " + userInput); // Actual exploitation depends on the specific VectorStore implementation (e.g., Pinecone, Milvus, Weaviate). // For a NoSQL-based store, injecting JSON keys might be possible: String jsonInjection = "{\"$ne\": null}"; // If the app constructs: FilterExpressionBuilder.in("metadata", jsonInjection) // And it is not escaped, the query might become: // { "metadata": { "$ne": null } } // This matches documents where metadata is not null, potentially leaking all records. } }

{"cve": {"id": "CVE-2026-40967", "sourceIdentifier": "[email protected]", "published": "2026-04-28T07:16:03.360", "lastModified": "2026-04-29T19:04:59.077", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query.\n\nAffected versions:\nSpring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.0.6", "matchCriteriaId": "1CD6DC44-CDE8-47E4-A788-6D8AE716396F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.1.0", "versionEndExcluding": "1.1.5", "matchCriteriaId": "5013645B-3914-4A40-8D42-CB47344963A7"}]}]}], "references": [{"url": "https://spring.io/security/cve-2026-40967", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}