Spring AI SQLi via document IDs (CVE-2026-40978)

Vendor-confirmed - CVE-2026-40978 is a high-severity SQL injection vulnerability in Spring AI 1.0.0 through 1.0.5 and 1.1.0 through 1.1.4 that allows attackers to execute arbitrary SQL queries on the CosmosDB database through crafted document IDs. Patched in versions 1.0.6 and 1.1.5 - update immediately.

Overview

CVE-2026-40978 affects the CosmosDBVectorStore component of Spring AI, a popular framework for building AI-powered applications with Spring. The vulnerability arises from insufficient sanitization of document IDs passed to vector store operations. An attacker with low privileges can inject arbitrary SQL commands into queries sent to the Azure CosmosDB backend, bypassing the intended data access controls.

This is a classic SQL injection (SQLi) flaw that leverages the product’s vector document retrieval functionality. The attacker does not need any user interaction and the attack complexity is low, meaning exploitation is straightforward once the attacker can supply crafted document IDs (for example, through a public API endpoint or web form that accepts vector store queries). The CVSS v3.1 score of 8.8 reflects the broad network attack surface, low privilege requirement, and high potential for data compromise.

Impact

An attacker exploiting CVE-2026-40978 can:

• Read, modify, or delete arbitrary data in the CosmosDB database, including sensitive application data, credentials, or other stored vectors.
• Execute administrative database commands, potentially leading to complete compromise of the database instance.
• In some configurations, escalate the attack to execute commands on the underlying operating system if the database user has elevated permissions.

Because CosmosDB is often used as a persistent data store alongside vector embeddings for AI workloads, the impact can extend to corrupting or exfiltrating AI training data, user session data, or financial records.

Remediation

Upgrade to Patched Versions

The Spring team has released fixes in the following versions:

• Spring AI 1.0.6 (for the 1.0.x line)
• Spring AI 1.1.5 (for the 1.1.x line)

Upgrade your Spring AI dependency to the appropriate patched version. No configuration changes are needed after the upgrade - the fix sanitizes document IDs before passing them to CosmosDB queries.

Mitigation (if immediate upgrade is not possible)

If you cannot upgrade immediately, implement one or more of the following mitigations:

• Apply input validation - Ensure all user-supplied document IDs are validated against a strict allowlist of safe characters (alphanumeric, hyphens, underscores only). Reject any IDs containing SQL control characters like single quotes, semicolons, or dashes.
• Restrict database permissions - Reduce the CosmosDB account privileges used by the application to read-only where possible, limiting the impact of any SQL injection.
• Use a Web Application Firewall (WAF) - Configure a WAF rule (for example, in Azure Front Door or Cloudflare) to block requests containing SQL injection patterns in query parameters or body data.

Security Insight

CVE-2026-40978 is a reminder that even infrastructure-level components in AI pipelines - such as vector stores - are not immune to classic injection flaws. As organizations rush to embed AI capabilities via frameworks like Spring AI, the underlying database and data access layers often inherit the same security weaknesses present in traditional web applications. This vulnerability mirrors the SQL injection flaws found in countless web ORMs over the past two decades, now reappearing in AI-specific contexts. Vendors must apply the same rigorous input validation and parameterized query patterns to all data access layers, regardless of whether they serve an AI workflow or a traditional one. The security industry has known how to prevent SQLi for over 20 years - there is no excuse for shipping patches instead of applying parameterized queries at design time.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs