A high-severity filter-expression injection vulnerability in Spring AI’s MilvusVectorStore allows unauthenticated attackers to execute arbitrary delete operations, threatening AI applications running RAG workloads at scale.
Spring AI’s MilvusVectorStore#doDelete(List<String>) method is vulnerable to a filter-expression injection attack, tracked as CVE-2026-41705 and disclosed on May 8, 2026.
The root cause is straightforward but dangerous: document IDs passed to the delete operation are interpolated directly into Milvus filter expressions without sanitization.
An attacker who can influence the document ID parameter can craft a malicious payload that manipulates the filter expression logic, leading to unauthorized data deletion or the exposure of sensitive records.
CVE-2026-41705: Spring AI Vulnerability
This vulnerability carries a CVSS 3.1 score calculated against the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L, which means it is exploitable over the network, requires no authentication, no user interaction, and no special privileges.
The Confidentiality impact is rated High, with Low impacts to Integrity and Availability, making unauthorized data access the primary concern alongside targeted data destruction.
CVE-2026-41705 affects all builds of Spring AI in the 1.0.x and 1.1. x release lines. Specifically:
- Spring AI 1.0.0 through 1.0.x – fixed in 1.0.7 (OSS)
- Spring AI 1.1.0 through 1.1.x – fixed in 1.1.6 (OSS)
Any application using MilvusVectorStore that passes user-supplied input as document IDs into the delete operation is directly in scope.
This includes production AI applications built on Retrieval-Augmented Generation (RAG) architectures, where vector stores are routinely queried with user-derived parameters including tenant IDs, document identifiers, and permission-scoped metadata.
Applications that generate document IDs entirely server-side and never expose them to user input are at reduced risk from this specific attack vector.
CVE-2026-41705 is not an isolated incident; it is part of a sustained wave of injection vulnerabilities sweeping through Spring AI’s vector store ecosystem throughout 2026. On April 27, 2026, the Spring security team simultaneously disclosed five related CVEs across the same 1.0.x and 1.1.x release lines:
- CVE-2026-40967 (CVSS 8.6): Filter-expression injection in
FilterExpressionConverterimplementations, exploitable without authentication in applications accepting user-supplied filter inputs - CVE-2026-40978 (CVSS 8.8): SQL injection in
CosmosDBVectorStore.doDelete(), enabling arbitrary SQL execution against Azure Cosmos DB with low-privilege access - CVE-2026-40966 (CVSS 5.9): Cross-tenant chat memory exfiltration via crafted
conversationIdvalues inVectorStoreChatMemoryAdvisor - CVE-2026-40980 (CVSS 6.5): Out-of-memory denial-of-service via attacker-controlled PDFs in
ForkPDFLayoutTextStripper - CVE-2026-40979 (CVSS 6.1): ONNX model cache exposure in world-writable
/tmpdirectories
HeroDevs CTO Greg Allen noted that these vulnerabilities represent a new class of AI-specific security flaws: “Filter expressions and document IDs are the AI-era equivalent of the SQL parameter and the LDAP query string”.
The pattern follows decades of well-understood injection vulnerabilities in relational databases now appearing freshly in vector store backends as AI-native infrastructure matures.
In the vulnerable doDelete(List<String>) method, each document ID in the input list is embedded directly into a Milvus filter expression string at runtime. Milvus filter expressions function similarly to SQL WHERE clauses; they define logical conditions for selecting records during database operations.
When an attacker supplies a crafted document ID such as ' OR id != '', The unsanitized value is interpolated into the filter expression, potentially altering its logic to match records far beyond the intended target.
This allows attackers to trigger broad delete operations across collections they were not authorized to modify, effectively weaponizing the delete API for data destruction or exfiltration of record metadata.
The PR:N (no privileges required) component in the CVSS vector is especially significant for organizations that expose document management APIs to external users, partners, or untrusted clients. Any publicly accessible endpoint that routes user input through doDelete() is a direct attack surface.
CVE-2026-41705 arrives at a critical juncture: Spring Boot 3.5, on which both Spring AI 1.0 and Spring AI 1.1 depend, reaches end-of-life on June 30, 2026. After that date, the 1.x line will no longer receive OSS security patches.
Teams that have not migrated to Spring AI 2.0 targeting Spring Boot 4 will face an ungated accumulation of unpatched CVEs with no upstream remediation available.
Security researchers have documented that the typical enterprise migration from Spring Boot 3.5 to Spring Boot 4 with Spring AI 2.0 takes between 3 and 9 months, a timeframe that already exceeds the OSS support deadline. This makes the interim patch step upgrading to 1.0.7 or 1.1.6 now both necessary and insufficient as a long-term posture.
Mitigation
The Spring team has confirmed that no workarounds are required beyond upgrading to the patched versions. The complete remediation guidance is:
- Teams running Spring AI 1.0. x must upgrade to 1.0.7 immediately
- Teams running Spring AI 1.1. x must upgrade to 1.1.6 immediately
- After patching, conduct an audit of all endpoints that accept user-supplied document IDs and route them to any
VectorStore.doDelete()implementation - Begin planning migration to Spring AI 2.0 before June 30, 2026, Spring Boot 3.5 EOL to avoid exposure to unpatched post-EOL CVEs
- Review all RAG and AI memory pipeline components for any pattern where user-controlled strings are interpolated into filter expressions without parameterization.
No additional runtime mitigations, such as WAF rules or input filtering, are documented as sufficient substitutes for the patch.
FAQ
Q1: What is CVE-2026-41705?
It is a high-severity filter-expression injection vulnerability in Spring AI’s MilvusVectorStore#doDelete() method that allows unauthenticated attackers to manipulate delete operations and potentially destroy or expose vector store data.
Q2: Which Spring AI versions are affected by CVE-2026-41705?
Spring AI versions 1.0.0–1.0.x and 1.1.0–1.1.x are affected; users must upgrade to 1.0.7 or 1.1.6, respectively, to remediate the issue.
Q3: Can CVE-2026-41705 be exploited without authentication?
Yes, the CVSS vector confirms PR:N (no privileges required), meaning any network-accessible endpoint passing user input to doDelete() is exploitable without credentials.
Q4: Is a workaround available for CVE-2026-41705 without upgrading?
Spring’s official advisory states that upgrading to the fixed version is the only remediation and that no additional mitigation steps are necessary.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
