Spring discloses Spring AI injection flaw and Spring gRPC security context issues
Spring published three security advisories covering Spring AI and Spring gRPC, including CVE-2026-40967, a flaw in VectorStore FilterExpressionConverter implementations that can let attackers manipulate generated vector store queries because keys and values are not properly escaped. The issue affects Spring AI versions 1.0.0 through 1.0.5 and 1.1.0 through 1.1.4, and is fixed in 1.0.6 and 1.1.5. External vulnerability tracking describes the bug as a high-severity code or query injection risk with CVSS AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L and maps it to CWE-94.
Spring also disclosed two Spring gRPC vulnerabilities: CVE-2026-40968, in which SecurityContext data can leak across requests after an authorization failure, and CVE-2026-40969, where an AuthenticationException message may be reflected back to a remote client. Together, the advisories point to risks of query manipulation, cross-request security context exposure, and unintended error-message disclosure in applications built on affected Spring components.
Timeline
Apr 28, 2026
CVE feed republishes technical details for CVE-2026-40967
A CVE tracking source summarized CVE-2026-40967 as an unvalidated filter expression converter vulnerability that can enable query manipulation through improper escaping. The entry reiterated affected and fixed Spring AI versions and linked the disclosure to Spring's advisory.
Apr 28, 2026
Spring discloses two Spring gRPC vulnerabilities
Spring published advisories for CVE-2026-40968 and CVE-2026-40969 affecting Spring gRPC. The flaws involve SecurityContext leakage across requests on authorization failure and reflection of AuthenticationException messages to remote clients.
Apr 27, 2026
Spring publishes advisory for CVE-2026-40967 in Spring AI
Spring disclosed CVE-2026-40967, a VectorStore FilterExpression Converter injection flaw in Spring AI. The issue affects versions 1.0.0 through 1.0.5 and 1.1.0 through 1.1.4, and Spring identified fixes in versions 1.0.6 and 1.1.5.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Spring fixes TLS hostname verification flaws and DevTools timing attack issue
Spring published advisories for four vulnerabilities affecting its ecosystem, including three flaws in auto-configuration for **Elasticsearch**, **Cassandra**, and **RabbitMQ** that can disable TLS hostname verification when an SSL bundle is used. The issues are tracked as `CVE-2026-40970`, `CVE-2026-40974`, and `CVE-2026-40971`, respectively, and could weaken certificate validation for connections to those backend services. A fourth advisory, `CVE-2026-40972`, affects **Spring DevTools** and states that remote secret comparison is vulnerable to timing attacks. Together, the disclosures highlight risks in both transport security and authentication-related logic, with the TLS-related bugs potentially exposing applications to man-in-the-middle scenarios and the DevTools issue creating an avenue for attackers to infer secrets through response timing differences.
1 weeks ago
Spring Issues Security Updates Across Boot, Framework, Security, and Gateway
Spring published multiple security advisories covering several widely used components, including **Spring Cloud Gateway**, **Spring Security**, **Spring Authorization Server**, **Spring Framework**, and a critical update for **Spring Boot**. The Canadian Centre for Cyber Security said the advisories were released between April 9 and April 23 and identified affected version ranges across these product lines, with Spring Boot fixes specifically issued for the `4.0.x`, `3.5.x`, `3.4.x`, `3.3.x`, and `2.7.x` release branches. Canadian authorities urged organizations to review the referenced Spring advisories and apply the vendor updates for all impacted deployments. The notices describe the issue as a patching and vulnerability-management matter rather than confirmed active exploitation, but they emphasize that administrators should promptly update affected Spring environments to the patched versions listed by the vendor.
1 weeks ago
Spring Security Flaw Leaves HTTP Security Headers Unwritten
Spring disclosed **`CVE-2026-22732`**, a vulnerability in **Spring Security** in which HTTP security headers may not be written under certain conditions, weakening browser-side protections that applications rely on to reduce exposure to client-side attacks. The issue affects the framework’s handling of response headers, creating a risk that expected defenses are absent even when developers believe they are enabled. Belgium’s **CCB Safeonweb** warned that the flaw can enable **multiple types of client-side attacks** and urged organizations to **patch immediately**. The combined advisories indicate that teams using Spring Security should review affected versions, apply vendor fixes, and verify that critical response headers are being sent correctly to browsers after remediation.
1 months ago