HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47835Published Modified CNA vmware

CVE-2026-47835: Spring AI vector store metadata filtering to handle special characters in Elasticsearch, OpenSearch, and GemFire Vector Stores

In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and GemFire VectorDB. Affected components: spring-ai-elasticsearch-store, spring-ai-opensearch-store, spring-ai-gemfire-store. Affected versions: Spring AI 1.0.0 through 1.0.x (fix 1.0.9). Spring AI 1.1.0 through 1.1.x (fix 1.1.8).

Metrics

CVSS v3.1
8.6
Severity
HIGH
Fixed in
1.0.9
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A query-injection vulnerability in Spring AI's vector store integrations (spring-ai-elasticsearch-store, spring-ai-opensearch-store, spring-ai-gemfire-store) allows an unauthenticated remote attacker to inject special characters into metadata filter expressions and force the execution of arbitrary queries against the underlying vector database. The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates the service must be reachable over a network and requires no authentication or user interaction to exploit. Successful exploitation gives the attacker read access to stored vector data and limited ability to tamper with or disrupt query results. Patched-image rebuilds at versions 1.0.9 and 1.1.8 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-47835 is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle spring-ai-elasticsearch-store, spring-ai-opensearch-store, or spring-ai-gemfire-store. Any image in a connected registry or CI pipeline that carries an affected Spring AI version (1.0.0-1.0.8 or 1.1.0-1.1.7) is flagged automatically.

Available
Triage

Triage is available using the CVSS 3.1 score of 8.6 (HIGH), weighted against each customer organization's compliance policy to determine urgency and ticket routing. Findings are surfaced to the appropriate team inbox within the customer org based on ownership rules configured in their HarborGuard environment.

Available
Patch

A patched-image rebuild at Spring AI 1.0.9 or 1.1.8 (depending on the branch in use) is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for high-severity issues.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Spring AI application over the network; any internet- or intranet-exposed deployment is in scope.

  • AuthenticationNot required

    No credentials are needed; the injection can be triggered through unauthenticated metadata filter inputs.

  • Victim interactionNot required

    Exploitation is fully automated and requires no action from any user or administrator.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions or special environmental factors are required to inject and execute arbitrary queries.

Blast Radius

  • An attacker can extract stored vector embeddings and associated metadata records from the affected Elasticsearch, OpenSearch, or GemFire vector store.
  • Injected queries can manipulate filter logic to return or suppress specific documents, corrupting the results that downstream AI features rely on.
  • Service responsiveness can be degraded by forcing expensive or malformed queries through the injection point.

How HarborGuard Handles This

Available on HarborGuard: detection, triage, and rebuild capabilities for CVE-2026-47835 are active across connected environments. For customers running Spring AI 1.0.x or 1.1.x images, HarborGuard matches affected component versions (spring-ai-elasticsearch-store, spring-ai-opensearch-store, spring-ai-gemfire-store) and surfaces findings scored at 8.6 HIGH. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the appropriate fix version (1.0.9 for 1.0.x deployments, 1.1.8 for 1.1.x deployments), runs regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the rebuilt image is staged and a notification is sent for manual review and promotion. Until a rebuild is deployed, consider applying network-policy controls to restrict which services can submit metadata filter inputs to the vector store endpoints, and validate or sanitize filter expressions at the application boundary as a compensating control.

See how HarborGuard automates this

Fix available

1.0.91.1.8
Affected packages
  • Spring / Spring AI
    < 1.0.9 (from 1.0.0) · < 1.1.8 (from 1.1.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
References