CVE-2026-41705 - Vulnerability Analysis
HighCVSS: 8.6Last Updated: May 9, 2026
Spring AI - NoSQL Injection
Published: May 9, 2026Updated: May 9, 2026Remote Exploitable
Overview
Spring AI 1.0.x and 1.1.x contain a NoSQL injection caused by unsanitized document IDs in MilvusVectorStore#doDelete(List), letting attackers inject filter expressions remotely, exploit requires crafted document IDs.
Severity & Score
Severity: High
CVSS Score: 8.6
Impact
Attackers can inject filter expressions to manipulate or delete data, potentially compromising data integrity.
Mitigation
Upgrade to version 1.0.7 or greater for 1.0.x and 1.1.6 or greater for 1.1.x.
Related Resources
Details
- CVE ID
- CVE-2026-41705
- Severity
- High
- CVSS Score
- 8.6
- Type
- nosql_injection
- Status
- new
CWE
- CWE-917
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L