CVE-2026-40967: Spring AI Query Escaping Flaw - What It Means for Your Business and How to Respond

Introduction

CVE-2026-40967 is a high-severity Spring AI vulnerability that can put sensitive business data at risk when AI-driven search or filtering features are used in production. If you rely on Spring-based applications for internal knowledge search, customer support, or data retrieval, this issue deserves immediate attention because it can affect confidentiality, integrity, and service reliability. This post explains what the vulnerability means for your business, how to judge whether you are exposed, and what actions to take now.

Background & History

CVE-2026-40967 was published on April 28, 2026, and concerns Spring AI versions 1.0.0 through 1.0.5 and 1.1.0 through 1.1.4, with fixes released in 1.0.6 and 1.1.5. The issue is rated high severity, with a CVSS score of 8.6, and is described as an injection flaw affecting how filter expressions are translated into vector store query languages. In plain language, attacker-controlled input can change the meaning of a query instead of being handled safely. The vulnerability was publicly documented by vulnerability intelligence sources that reference the Spring advisory and the CVE record.

What This Means for Your Business

Your primary risk is unauthorized access to information that should remain restricted. If a user can manipulate an AI search filter, they may be able to retrieve records, documents, or responses outside their intended permission level, which can expose customer data, internal files, or confidential pricing and legal material. That can quickly become a business issue, not just a technical one, because data exposure can trigger incident response costs, contractual disputes, and compliance obligations.

You also face operational and reputational impact. AI-powered search and retrieval features are often embedded in customer support portals, internal copilots, and analytics workflows, so a flaw in query handling can undermine trust in systems that employees and customers depend on every day. If the application sits in a regulated environment, such as finance, healthcare, or professional services, the exposure may also create reporting and governance problems.

The business concern is not limited to direct data theft. Altered queries can affect decision-making, surface inaccurate results, or cause unexpected service behavior that slows teams down and damages confidence in digital tools. For organizations rolling out AI features across the USA and Canada, this is especially important because data handling expectations are high and response timelines for security issues are often short.

Real-World Examples

Regional bank: An internal AI assistant used by branch staff could return account-related records outside the intended scope if filter input is manipulated. That creates a privacy exposure, a possible regulatory incident, and a loss of trust among both employees and customers.

Healthcare provider: A hospital using Spring AI to search policies, patient guidance, or support content could inadvertently expose restricted information through altered queries. Even if no records are stolen, the organization may still face compliance review and incident handling costs.

Retail enterprise: A customer service chatbot might pull pricing, order, or inventory data from back-end systems in ways that bypass expected filters. The result can be incorrect answers, customer frustration, and a higher burden on support teams.

Mid-sized software company: An internal knowledge search tool could surface engineering notes, security runbooks, or client data that were meant for limited audiences. That can slow product delivery because teams may need to pause deployments and review access controls across connected services.

Am I Affected?

• You are affected if you run Spring AI 1.0.0 through 1.0.5 or 1.1.0 through 1.1.4.

• You are affected if your application uses Spring AI filter expression features to query vector stores.

• You are affected if the application processes user-controlled search, retrieval, or filter input over the network.

• You are especially exposed if the system handles sensitive, regulated, or customer-facing data.

• You are not affected by this specific CVE if you have upgraded to Spring AI 1.0.6 or 1.1.5 and verified the deployed version in production.

Key Takeaways

• You should treat CVE-2026-40967 as a business risk because it can expose information that was never meant to be visible.

• You should prioritize systems where AI search, retrieval, or filtering touches confidential data.

• You should verify the exact Spring AI version in production, not just in source code or development.

• You should assume customer trust, compliance posture, and service reliability are all at stake until the issue is remediated.

• You should move quickly because the fix is available and the exposure is tied to a specific version range.

Call to Action

If you use Spring AI in customer-facing or internal business systems, now is the right time to validate exposure and reduce risk with a focused security review. IntegSec can help you assess affected applications, confirm remediation, and harden your environment with a practical penetration test approach. Contact IntegSec at https://integsec.com for a clear, business-focused path to stronger cybersecurity.

A — Technical Analysis

CVE-2026-40967 affects Spring AI’s FilterExpressionConverter implementations, where keys and values are not properly escaped before translation into vector store query languages. The issue is classified as CWE-94, improper control of generation of code, and the published CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L, which aligns with network-based exploitation requiring no privileges or user interaction. The vulnerability was published on April 28, 2026, and the known fixed versions are 1.0.6 and 1.1.5.

B — Detection & Verification

Version enumeration should start with application dependency review, such as checking the resolved Spring AI artifact version in your build manifests and deployed container image. Security teams should also look for request patterns that include unusual filter operators, malformed escaping, or search payloads that produce broader-than-expected result sets. Indicators may include abnormal query shapes in application logs, unexpected access to restricted vector entries, and repeated probing of AI search endpoints from the same client or IP range.

If you use a scanner or SCA platform, verify whether it flags Spring AI versions below 1.0.6 or 1.1.5. Network and application telemetry may reveal frequent filter manipulation attempts, especially where a previously limited search suddenly returns a much larger data set. Behavioral anomalies often show up first as strange relevance results, sudden increases in sensitive document retrieval, or support tickets from users who see content they should not see.

C — Mitigation & Remediation

1. Immediate (0-24h): Upgrade to Spring AI 1.0.6 or 1.1.5 in production, because those are the fixed versions identified in the advisory.

2. Short-term (1-7d): Inventory every application that uses Spring AI, confirm where filter-based retrieval is exposed to user input, and restrict access to the affected feature until you verify the rollout.

3. Long-term (ongoing): Add secure coding review for query construction, centralize dependency monitoring, and validate AI search output against authorization rules before results reach users.

If patching cannot happen immediately, place the affected feature behind stronger authentication, limit it to trusted users, and reduce exposure by disabling or narrowing external input paths into filter generation. Review logs for suspicious query manipulation and validate that the deployed runtime matches the fixed version after maintenance windows.

D — Best Practices

• Escape and validate all user-controlled filter values before query translation.

• Enforce authorization checks after retrieval, not only before search submission.

• Keep AI search features behind identity controls and least-privilege access.

• Monitor for unexpected expansion in query results or access to sensitive records.

• Track dependency versions continuously so fixed releases are deployed quickly.