SQL Injection Vulnerability in Spring AI's CosmosDBVectorStore
CVE-2026-40978

8.8HIGH

Key Information:

Vendor: Spring
Status: Spring Ai
Vendor: CVE Published:; 28 April 2026

What is CVE-2026-40978?

A SQL injection vulnerability exists in Spring AI's CosmosDBVectorStore, enabling attackers to execute arbitrary SQL queries through specially crafted document IDs. This flaw impacts versions 1.0.0 to 1.0.5 and 1.1.0 to 1.1.4 of the product, potentially compromising the integrity of the database by exposing sensitive data and allowing unauthorized access.

Affected Version(s)

Spring AI 1.0.0 < 1.0.6

Spring AI 1.1.0 < 1.1.5

References

https://spring.io/security/cve-2026-40978

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 28, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-40978 Data

JSON