CVE Watchtower


← Back to CVE List

CVE-2026-40978NVD

Vulnerability Summary

SQL injection vulnerability in Spring AI's `CosmosDBVectorStore` allows attackers to execute arbitrary SQL queries via crafted document IDs.

Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Severity Level
HIGH(8.8)
Published Date
Apr 28, 2026
Last Modified
Apr 29, 2026
Exploitation Status
No confirmed exploitation yet
EPSS Score (30-Day)
0.02%Probability
Root Weakness (CWE)
Improper neutralization of special elements used in an SQL command, allowing attackers to modify queries.
CVSS v3.1 Base Metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh