Description
Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs.
Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater.
Published: 2026-05-09
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring AI’s MilvusVectorStore#doDelete(List) method accepts delete requests containing document IDs that are directly incorporated into a filter expression without sanitization. This flaw allows an attacker to inject malicious filter syntax, causing the underlying Milvus engine to evaluate unintended conditions and delete the specified or additional documents. The vulnerability can lead to structured data loss, denial of service for the affected application, and potential escalation if the deleted data includes privileges or configuration. The weakness is classified as CWE‑917, representing untrusted filter expressions.

Affected Systems

The issue affects all releases of Spring AI 1.0.x from 1.0.0 through the latest 1.0.x, with the fix available in 1.0.7 and newer; all releases of Spring AI 1.1.x from 1.1.0 through the latest 1.1.x, with the fix available in 1.1.6 and newer.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity vulnerability. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is through exposed API calls that perform delete operations. An attacker with access to the API endpoint can craft malicious document ID payloads to trigger the injection, leading to unintended data deletion. The risk is elevated due to the high impact and the possibility of remote exploitation when the API is reachable from untrusted networks.

Generated by OpenCVE AI on May 9, 2026 at 03:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring AI to version 1.0.7 or newer for the 1.0.x line, or to version 1.1.6 or newer for the 1.1.x line.
  • If an upgrade cannot be performed immediately, restrict access to the MilvusVectorStore delete API to authenticated and authorized users only.
  • Implement server‑side validation or sanitization for all document IDs before they are incorporated into the filter expression, ensuring that only legitimate identifiers are accepted.

Generated by OpenCVE AI on May 9, 2026 at 03:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://spring.io/security/cve-2026-41705 cve-icon cve-icon
History

Sat, 09 May 2026 04:15:00 +0000

Type Values Removed Values Added
Title MilvusVectorStore DoDelete Filter‑Expression Injection Vulnerability in Spring AI

Sat, 09 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs. Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater.
Weaknesses CWE-917
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-05-09T00:34:17.870Z

Reserved: 2026-04-22T06:21:34.489Z

Link: CVE-2026-41705

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T01:16:08.690

Modified: 2026-05-09T01:16:08.690

Link: CVE-2026-41705

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T04:00:14Z

Weaknesses