Spring AI Vulnerability (CVE-2026-40967) Allows Query Alteration

/HIGH /CVSS 8.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-94
Spring AI Vulnerability (CVE-2026-40967) Allows Query Alteration

The National Vulnerability Database has disclosed CVE-2026-40967, a high-severity vulnerability affecting Spring AI versions 1.0.0 through 1.0.5 (fixed in 1.0.6) and 1.1.0 through 1.1.4 (fixed in 1.1.5). This flaw, rated with a CVSS score of 8.6, stems from improper escaping of keys and values within various FilterExpressionConverter implementations. These converters are responsible for translating filter expression objects into specific vector store query languages.

The core issue is a CWE-94, ‘Improper Control of Generation of Code (‘Code Injection’)’, allowing attackers to manipulate query logic. By injecting unescaped characters, an adversary can alter the intended query, potentially leading to unauthorized data access, modification, or denial of service by corrupting the database interaction. This isn’t just a theoretical concern; it’s a direct path to data compromise in systems relying on Spring AI for vector store interactions.

For defenders, this means any application using the affected Spring AI versions is exposed. The attacker’s calculus is straightforward: find a vulnerable endpoint that accepts filter expressions, craft a malicious input, and exploit the unescaped parameters to pivot within the vector store. This is a critical architectural weakness that demands immediate attention, as it undermines the integrity of data retrieval and manipulation within AI-powered applications.

What This Means For You

  • If your organization utilizes Spring AI, immediately identify all instances running versions 1.0.0-1.0.5 or 1.1.0-1.1.4. Prioritize patching to 1.0.6 or 1.1.5, respectively. This vulnerability allows query manipulation, which means data integrity and confidentiality are directly at risk. Don't assume your vector store is isolated from this logic flaw.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Spring AI Query Alteration Attempt - CVE-2026-40967

Sigma YAML — free preview 
title: Spring AI Query Alteration Attempt - CVE-2026-40967
id: scw-2026-04-28-ai-1
status: experimental
level: high
description: |
  Detects attempts to exploit CVE-2026-40967 in Spring AI by looking for common SQL/query alteration keywords within the query string of requests targeting known Spring AI endpoints. This indicates an attempt to manipulate vector store queries.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-40967/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
          - 'OR'
          - 'AND'
          - 'UNION'
          - 'SELECT'
          - 'FROM'
          - 'WHERE'
      cs-uri|contains:
          - '/query'
          - '/filter'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40967 Code Injection Spring AI versions 1.0.0 through 1.0.5 (fixed in 1.0.6)
CVE-2026-40967 Code Injection Spring AI versions 1.1.0 through 1.1.4 (fixed in 1.1.5)
CVE-2026-40967 Code Injection Vulnerable component: FilterExpressionConverter implementations in Spring AI
CVE-2026-40967 Code Injection Improper escaping of keys and values in filter expression translation

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 28, 2026 at 10:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

D-Link DI-8100 Critical Buffer Overflow Vulnerability (CVE-2026-7248)

CVE-2026-7248 — A vulnerability was found in D-Link DI-8100 16.07.26A1. This affects the function tgfile_htm of the file tgfile.htm of the component CGI Endpoint. The...

vulnerabilityCVEcriticalhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 1 IOC /⚙ 2 Sigma

D-Link DI-8100 Buffer Overflow: CVE-2026-7247 Exposes Remote Exploitation Risk

CVE-2026-7247 — A vulnerability has been found in D-Link DI-8100 16.07.26A1. Affected by this issue is the function file_exten_asp of the file file_exten.asp of the...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-119cwe-120
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 1 IOC /⚙ 2 Sigma

CVE-2026-7244: Critical Command Injection Flaw in Totolink Router

CVE-2026-7244 — A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi of the...

vulnerabilityCVEcriticalhigh-severitycommand-injectioncwe-77cwe-78
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 5 IOCs /⚙ 2 Sigma