Home / Vulnerability Intelligence / CVE-2026-40967

CVE-2026-40967 - Vulnerability Analysis

HighCVSS: 8.6

Last Updated: April 28, 2026

Spring AI - Injection

Published: April 28, 2026Updated: April 28, 2026Remote Exploitable

Overview

Spring AI 1.0.0 - 1.0.5, 1.1.0 - 1.1.4 contains a query alteration vulnerability caused by improper escaping of keys and values in FilterExpressionConverter implementations, letting attackers alter vector store queries, exploit requires crafted filter expressions.

Severity & Score

Severity: High

CVSS Score: 8.6

Impact

Attackers can alter vector store queries, potentially leading to unauthorized data access or manipulation.

Mitigation

Upgrade to versions 1.0.6 or 1.1.5 or later.

References

https://spring.io/security/cve-2026-40967

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-40967
Severity: High
CVSS Score: 8.6
Type: insecure_deserialization
Status: new

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L