Spring AI’s MilvusVectorStore#doDelete(List) method accepts delete requests containing document IDs that are directly incorporated into a filter expression without sanitization. This flaw allows an attacker to inject malicious filter syntax, causing the underlying Milvus engine to evaluate unintended conditions and delete the specified or additional documents. The vulnerability can lead to structured data loss, denial of service for the affected application, and potential escalation if the deleted data includes privileges or configuration. The weakness is classified as CWE‑917, representing untrusted filter expressions.

The issue affects all releases of Spring AI 1.0.x from 1.0.0 through the latest 1.0.x, with the fix available in 1.0.7 and newer; all releases of Spring AI 1.1.x from 1.1.0 through the latest 1.1.x, with the fix available in 1.1.6 and newer.

The CVSS score of 8.6 indicates a high severity vulnerability. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is through exposed API calls that perform delete operations. An attacker with access to the API endpoint can craft malicious document ID payloads to trigger the injection, leading to unintended data deletion. The risk is elevated due to the high impact and the possibility of remote exploitation when the API is reachable from untrusted networks.