CVE-2026-47835

Vulnerability

Spring AI Vector Stores in versions 1.0.0 through 1.0.x and 1.1.0 through 1.1.x do not properly sanitize special characters in metadata filtering. This flaw affects the spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store components, allowing an attacker to inject arbitrary query syntax into the underlying vector database queries [1].

Exploitation

An attacker with network access to the vector store endpoint can craft a malicious metadata filter containing special characters (e.g., quotes, operators) that bypasses intended filtering logic. No authentication or user interaction is required, as the vulnerability is triggered purely by sending a crafted request to the affected service [1].

Impact

Successful exploitation leads to unauthorized execution of arbitrary queries against the Elasticsearch, OpenSearch, or GemFire VectorDB backends. This can result in high confidentiality impact (reading sensitive vector data) and limited integrity/availability impact (modifying or deleting data). The CVSS v3.1 score is 8.6 (High) [1].

Mitigation

Users should upgrade to the fixed versions: Spring AI 1.0.9 for the 1.0.x line and Spring AI 1.1.8 for the 1.1.x line. No other mitigation steps are necessary, and no workarounds are provided [1].