1 article
Two injection vulnerabilities in Spring AI's vector store integration layer affect AI applications using retrieval-augmented generation pipelines. CVE-2026-40978 (CVSS 8.8) allows SQL injection through the CosmosDB vector store component; CVE-2026-40967 (CVSS 8.6) enables filter expression injection in the FilterExpressionConverter used across multiple backends. Both flaws affect Spring AI 1.0.x and 1.1.x and are patched in 1.1.5.