CVE-2026-47835
Spring AI vector store metadata filtering to handle special characters in Elasticsearch, OpenSearch, and GemFire Vector Stores
CVSS Score
8.6
EPSS Score
0.0%
EPSS Percentile
0th
In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and GemFire VectorDB. Affected components: spring-ai-elasticsearch-store, spring-ai-opensearch-store, spring-ai-gemfire-store. Affected versions: Spring AI 1.0.0 through 1.0.x (fix 1.0.9). Spring AI 1.1.0 through 1.1.x (fix 1.1.8).
| CWE | CWE-943 |
| Vendor | spring |
| Product | spring ai |
| Ecosystems | |
| Industries | TechnologyEnterprise |
| Published | Jun 15, 2026 |
| Last Updated | Jun 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for spring spring ai
Be the first to know when new high vulnerabilities affecting spring spring ai are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low
Affected Versions
Spring / Spring AI
1.0.0 < 1.0.9 1.1.0 < 1.1.8