Spring AI filter expression injection lets attackers alter vector store queries
TL;DR - FilterExpressionConverter fails to escape keys and values before passing them to the underlying vector store query language. If user-supplied input reaches the filterExpression parameter, an attacker can reshape that query. Upgrade to 1.0.6 or 1.1.5 depending on your Spring AI line.
What happened
Spring AI is Spring's framework layer for building LLM applications, including retrieval-augmented generation flows backed by vector stores.
CVE-2026-40967 is an injection flaw in Spring AI's FilterExpressionConverter implementations. These converters translate a filter expression object into the query language of the target vector store backend. Across multiple implementations, keys and values are not properly escaped before that translation happens. An attacker who controls those values can alter the generated query.
Spring scopes the blast radius precisely: only applications that use VectorStore implementations and pass user-supplied input as a filterExpression are affected.
This is the same failure mode that hits every query-building layer eventually. Once untrusted input gets concatenated into an underlying query language without escaping, your authorization boundaries and data-partition assumptions collapse at the adapter layer. Vector store filter expressions are no different from SQL, LDAP, or NoSQL query builders in that regard.
Who is impacted
- Applications using Spring AI
VectorStoreimplementations where user-controlled data can reach thefilterExpressionparameter - for example, search filters, metadata filters, or tenant selectors built from request input.
| Spring AI line | Affected versions | Fixed version |
|---|---|---|
1.0.x | 1.0.0 - 1.0.x | 1.0.6 |
1.1.x | 1.1.0 - 1.1.x | 1.1.5 |
What to do now
- Upgrade to the fixed version for your line:
1.0.6or1.1.5."Users of affected versions should upgrade to the corresponding fixed version." "No further mitigation steps are necessary."
- Inventory every service using Spring AI and trace where
filterExpressionvalues originate. - Treat any path that builds filter expressions from request parameters - search filters, metadata filters, tenant selectors - as high-risk until the upgrade is confirmed deployed.
- If you suspect past exposure, review vector search endpoint access logs for unusual filter shapes and unexpected data-access patterns.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.