Attack Chain

1. Attacker identifies a vulnerable Spring AI instance running a version prior to 1.0.6 or 1.1.5.
2. For CVE-2026-40967 (VectorStore FilterExpression Converter injection): the attacker crafts a malicious FilterExpression designed to inject arbitrary code during the conversion process.
3. The malicious FilterExpression is submitted to the vulnerable VectorStore component via a user-controlled input or API endpoint.
4. The VectorStore attempts to convert the FilterExpression, triggering the injection vulnerability.
5. Arbitrary code is executed within the context of the Spring AI application, potentially granting the attacker control over the system.
6. For CVE-2026-40978 (SQL Injection in CosmosDBVectorStore.doDelete()): The attacker crafts a SQL injection payload.
7. The malicious SQL payload is inserted into the doDelete() function via a user-controlled input or API endpoint.
8. The injected SQL code is executed against the CosmosDB database, enabling data exfiltration, modification, or deletion.

Impact

Successful exploitation of CVE-2026-40967 and CVE-2026-40978 can lead to significant data breaches, unauthorized access to sensitive information, and complete compromise of the Spring AI application. This can impact any sector utilizing Spring AI for AI-powered applications, including finance, healthcare, and government. The impact could range from data theft and ransomware deployment to denial of service and reputational damage.

Recommendation

• Immediately upgrade Spring AI to version 1.0.6 or 1.1.5 or later to address CVE-2026-40967 and CVE-2026-40978.
• Monitor web server logs (category webserver, product linux) for suspicious requests targeting Spring AI endpoints, looking for unusual FilterExpression patterns or SQL syntax, to identify potential exploitation attempts.
• Implement input validation and sanitization measures within Spring AI applications to prevent FilterExpression injection and SQL injection attacks.