Security Advisory

Spring Product Security Update Advisory

Apr 30 2026

Spring Product Security Update Advisory

Overview

A security update has been released to address a vulnerability in Spring products. the target is Spring AI, and users should update to the latest version.

Affected by

Spring AI 1.0.0 or later and earlier than 1.0.6.
Spring AI 1.1.0 and above, but below 1.1.5.

Resolved vulnerabilities

CVE-2026-40967: Failure to handle input escaping in Spring AI.
CVE-2026-40978: SQL Injection vulnerability in Spring AI, where an attacker can craft a database query by exploiting input values.

Patch information

vulnerability patches have been provided in the latest update. you can update to Spring AI 1.0.6 or 1.1.5 by following the instructions on the reference site.

Notes

CVE-2026-40967: VectorStore FilterExpression Converter injection.
CVE-2026-40978: SQL Injection in CosmosDBVectorStore.doDelete().

Previous Post

Mozilla Product Security Update Advisory

Next Post

Spring Product Security Update Advisory (CVE-2026-40968)