Spring Ai vulnerabilities
11 known vulnerabilities affecting spring/spring_ai.
Total CVEs
11
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH7MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2026-22738P2CRITICALCVSS 9.8≥ 1.0.0, < 1.0.5≥ 1.1.0, < 1.1.42026-03-27
CVE-2026-22738 [CRITICAL] CWE-917 CVE-2026-22738: In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value
In Spring AI, a SpEL injection vulnerability exists in SimpleVectorStore when a user-supplied value is used as a filter expression key. A malicious actor could exploit this to execute arbitrary code. Only applications that use SimpleVectorStore and pass user-supplied input as a filter expression key are affected.
This issue affects Spring AI: from
nvd
CVE-2026-40978P3HIGHCVSS 8.8≥ 1.0.0, < 1.0.6≥ 1.1.0, < 1.1.52026-04-28
CVE-2026-40978 [HIGH] CWE-89 CVE-2026-40978: SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitra
SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs.
Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
nvd
CVE-2026-22742P3HIGHCVSS 8.6≥ 1.0.0, < 1.0.5≥ 1.1.0, < 1.1.42026-03-27
CVE-2026-22742 [HIGH] CWE-918 CVE-2026-22742: Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery (SSRF) vulnerability i
Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery (SSRF) vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal or external destinations.
This
nvd
CVE-2026-47835P3HIGHCVSS 8.6≥ 1.0.0, < 1.0.9≥ 1.1.0, < 1.1.82026-06-15
CVE-2026-47835 [HIGH] CWE-943 CVE-2026-47835: In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary que
In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and GemFire VectorDB. Affected components: spring-ai-elasticsearch-store, spring-ai-opensearch-store, spring-ai-gemfire-store.
Affected versions:
Spring AI 1.0.0 through 1.0.x (fix 1.0.9).
Spring AI 1.1.0 through 1.1.
nvd
CVE-2026-40967P3HIGHCVSS 8.6≥ 1.0.0, < 1.0.6≥ 1.1.0, < 1.1.52026-04-28
CVE-2026-40967 [HIGH] CWE-94 CVE-2026-40967: In Spring AI, various FilterExpressionConverter implementations accept a filter expression object an
In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query.
Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5
nvd
CVE-2026-41705P3HIGHCVSS 8.6≥ 1.0.0, < 1.0.7≥ 1.1.0, < 1.1.62026-05-09
CVE-2026-41705 [HIGH] CWE-917 CVE-2026-41705: Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injec
Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs.
Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater.
nvd
CVE-2026-22743P3HIGHCVSS 7.5≥ 1.0.0, < 1.0.5≥ 1.1.0, < 1.1.42026-03-27
CVE-2026-22743 [HIGH] CWE-89 CVE-2026-22743: Spring AI's spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpr
Spring AI's spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in Neo4jVectorFilterExpressionConverter of spring-ai-neo4j-store, doKey() embeds the key into a backtick-delimited Cypher property accessor (node.`metadata.`) after strip
nvd
CVE-2026-41863P3MEDIUMCVSS 6.5≥ 1.1.0, ≤ 1.1.x2026-05-25
CVE-2026-41863 [MEDIUM] CWE-22 CVE-2026-41863: Spring AI's support for Anthropic's Skills API used LLM-influenced filenames unsanitized in Path.res
Spring AI's support for Anthropic's Skills API used LLM-influenced filenames unsanitized in Path.resolve before writing files to disk. This could allow a malicious user to write files outside the intended target directory, including restricted directories.
Affected versions:
Spring AI: 1.1.0 through 1.1.x
cvelistv5nvd
CVE-2026-22744P3HIGHCVSS 7.5≥ 1.0.0, < 1.0.5≥ 1.1.0, < 1.1.42026-03-27
CVE-2026-22744 [HIGH] CWE-74 CVE-2026-22744: In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed
In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field, stringValue() inserts the value directly into the @field:{VALUE} RediSearch TAG block without escaping characters.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
nvd
CVE-2026-40980P4MEDIUMCVSS 6.5≥ 1.0.0, < 1.0.6≥ 1.1.0, < 1.1.52026-04-28
CVE-2026-40980 [MEDIUM] CWE-400 CVE-2026-40980: In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amoun
In Spring AI, a malicious PDF file can be crafted that triggers the allocation of unreasonable amounts of memory when handled by `ForkPDFLayoutTextStripper`.
Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
nvd
CVE-2026-40979P4MEDIUMCVSS 6.1≥ 1.0.0, < 1.0.6≥ 1.1.0, < 1.1.52026-04-28
CVE-2026-40979 [MEDIUM] CWE-377 CVE-2026-40979: In Spring AI, having access to a shared environment can expose the ONNX model used by the applicatio
In Spring AI, having access to a shared environment can expose the ONNX model used by the application.
Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
nvd