Zero Day MonitorZDM

← Back to list

8.6

CVE-2026-40967EXPLOITEDPATCHED

spring · spring ai

CVE-2026-40967: In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to

Description

In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)

Affected Products

Vendor	Product	Versions
spring	spring ai	1.0.0, 1.1.0

References

https://spring.io/security/cve-2026-40967

Related News (2 articles)

Tier C

VulDB1d ago

CVE-2026-40967 | Vmware Spring AI up to 1.0.5/1.1.4 Expressions FilterExpressionConverter code injection

→ No new info (linked only)

Tier B

CERT-FR1d ago

Multiples vulnérabilités dans Spring (28 avril 2026)

→ No new info (linked only)

CVSS 3.18.6 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.0.61.1.5

CWECWE-94

PublishedApr 28, 2026

Last enriched1d agov2

Trending Score63

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-40978EXP

CVE-2026-40978: SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via c

CRITICALCVE-2026-40976EXP

CVE-2026-40976: In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoint

MEDIUMCVE-2026-40966EXP

VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration

HIGHCVE-2026-40968EXP

Spring gRPC SecurityContext leaks across requests on authorization failure

CRITICALCVE-2026-40974EXP

CVE-2026-40974: Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 28, 2026

Discovered by ZDM

Apr 28, 2026

Updated: severity, activelyExploited

Apr 28, 2026

Actively Exploited

Apr 29, 2026

Patch Available

Apr 29, 2026

Version History

v2

Last enriched 1d ago

v2Tier C1d ago

Updated severity to CRITICAL and corrected exploit availability to false, while marking it as actively exploited.

severityactivelyExploited

via VulDB

v11d ago

Initial creation