Spring AI CVE-2026-40978 and CVE-2026-40967 — SQL Injection and Filter Expression Injection in RAG Vector Store Components

Spring AI — VMware’s Java framework for building AI-integrated applications — has patched two injection vulnerabilities in its vector store layer that expose applications to SQL injection and filter expression injection through retrieval-augmented generation (RAG) query pipelines. The flaws affect the CosmosDB and multi-backend filter expression components introduced in Spring AI 1.0 and carried forward into 1.1.x without sanitisation.

CVE-2026-40978 — SQL Injection via CosmosDB Vector Store

CVSS 8.8 — HIGH

Spring AI’s CosmosDBVectorStore component supports hybrid vector+metadata filtering to narrow similarity search results — a standard capability for RAG pipelines that retrieve documents matching both semantic similarity and structured criteria (date ranges, document types, user identifiers, access tier labels). The component constructs SQL queries for Azure Cosmos DB using string concatenation rather than parameterised queries, and fails to sanitise metadata filter values supplied by the application layer.

An attacker who can control metadata filter parameters passed to a RAG query — commonly the case when filter values are derived from user input, such as filtering by user ID, session context, or document category — can inject arbitrary SQL that the Cosmos DB query engine executes. Depending on application permissions granted to the Spring AI service principal, successful exploitation can read documents outside the intended scope, exfiltrate stored embeddings and source content, or in some configurations, execute administrative operations against the Cosmos DB account.

The vulnerable code path is specifically the CosmosDBVectorStore.similaritySearch(SearchRequest) method when the SearchRequest contains a FilterExpression referencing values derived from external input. Internal, hardcoded filter values are not at risk.

CVE-2026-40967 — Filter Expression Injection in FilterExpressionConverter

CVSS 8.6 — HIGH

FilterExpressionConverter is Spring AI’s shared filter expression translation layer used across multiple vector store backends including Pinecone, Weaviate, Qdrant, and Milvus, as well as the CosmosDB integration. It translates Spring AI’s DSL-based filter expressions into backend-specific query syntax.

CVE-2026-40967 exists in the expression serialisation path: string values containing the characters ', ), AND, OR, and NOT are not escaped before being embedded in backend query strings. An attacker with control over filter values can break out of the intended expression context and inject arbitrary filter logic — equivalent to boolean-based SQL injection but targeting vector database query languages.

In a RAG application, this can enable an attacker to bypass document-level access controls implemented through metadata filters. For example, if an application filters retrieved documents by user_id = $currentUser and the attacker can manipulate this value, they could construct an expression that retrieves documents belonging to other users or all documents in the vector store.

Affected Configurations

Both CVEs affect applications that:

• Use Spring AI 1.0.0–1.0.4 or 1.1.0–1.1.4
• Pass user-controlled or externally-derived values as metadata filter parameters in vector store queries
• Use CosmosDBVectorStore (CVE-2026-40978) or any FilterExpressionConverter-backed store (CVE-2026-40967)

Static or hardcoded filter expressions using only developer-controlled values are not exploitable.

Remediation

Upgrade to Spring AI 1.1.5, which rewrites both the CosmosDBVectorStore query construction to use parameterised queries and the FilterExpressionConverter serialisation to escape all string values before embedding in backend query syntax.

For applications that cannot immediately upgrade:

CVE-2026-40978 workaround: Validate and sanitise all values placed into FilterExpression string parameters before constructing SearchRequest objects. Reject or escape values containing SQL metacharacters.

CVE-2026-40967 workaround: Avoid passing unvalidated external input as filter expression values across any vector store backend. Implement an allowlist of permitted filter values for user-controlled parameters.

Deployment Context

Spring AI adoption has grown rapidly in enterprise environments building RAG applications for document Q&A, code assistance, and knowledge retrieval. Vector stores in these deployments frequently hold sensitive source material — internal documents, customer records, proprietary knowledge bases — with document-level access controls implemented through metadata filtering. Injection vulnerabilities that bypass these controls represent a data exfiltration risk specific to the AI application layer, and are likely to be under-monitored by teams focused on traditional SQL database security rather than vector database query integrity.

Organisations building RAG applications on Spring AI should treat filter expression values from external sources as untrusted input regardless of framework, and should verify that the 1.1.5 patch is applied to all deployed services before processing user-controlled queries.