CVE-2026-41705: Spring AI MilvusVectorStore Vulnerable to Filter Injection
The National Vulnerability Database (NVD) reports a critical vulnerability, CVE-2026-41705, affecting Spring AI’s MilvusVectorStore. Specifically, the doDelete(List) implementation is susceptible to filter-expression injection due to unsanitized document IDs. This flaw, rated with a CVSSv3 score of 8.6 (High), allows attackers to manipulate filter expressions, potentially leading to unauthorized data deletion or modification.
This is a significant issue for any organization leveraging Spring AI with Milvus. The vulnerability can be exploited remotely without authentication, making it an attractive target for attackers. Successful exploitation grants high confidentiality, low integrity, and low availability impacts, meaning attackers can likely read sensitive data, subtly corrupt other data, and disrupt service.
Spring AI 1.0.x versions from 1.0.0 through the latest are affected, requiring an upgrade to 1.0.7 or greater. Similarly, Spring AI 1.1.x, from 1.1.0 through the latest, needs an upgrade to 1.1.6 or greater. The NVD identifies CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement) as the underlying weakness.
What This Means For You
- If your organization utilizes Spring AI with MilvusVectorStore, you are directly exposed to CVE-2026-41705. This isn't theoretical; an unauthenticated attacker can remotely delete or manipulate your vector data. Prioritize patching immediately: upgrade Spring AI 1.0.x to 1.0.7+ or 1.1.x to 1.1.6+. Then, audit your Milvus logs for any anomalous delete operations or filter queries that bypass expected application logic.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-41705: Spring AI MilvusVectorStore Filter Injection Attempt
title: CVE-2026-41705: Spring AI MilvusVectorStore Filter Injection Attempt
id: scw-2026-05-09-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-41705 by injecting filter expressions into the MilvusVectorStore#doDelete method. The vulnerability allows unsanitized document IDs to be used in filter expressions, enabling attackers to manipulate delete operations. This rule looks for common patterns of filter injection within the query string of web requests.
author: SCW Feed Engine (AI-generated)
date: 2026-05-09
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-41705/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'id in ("'
- 'id in (\''
- 'id in (\"'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41705 | Code Injection | Spring AI MilvusVectorStore#doDelete(List) filter-expression injection |
| CVE-2026-41705 | Affected Software | Spring AI 1.0.0 through 1.0.x (upgrade to 1.0.7+) |
| CVE-2026-41705 | Affected Software | Spring AI 1.1.0 through 1.1.x (upgrade to 1.1.6+) |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 09, 2026 at 04:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate
CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...
CVE-2026-6666 — A possible null pointer reference in PgBouncer before
CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...
PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow
CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...