CVE-2026-47835
8.6 HIGHIn Spring AI Vector Stores, special characters could be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, an...
Published: 2026-06-15 · Last updated: 2026-06-16
Severity and scoring
- CVSS
- 8.6 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
- CWE
- CWE-943
Description
In Spring AI Vector Stores, special characters could be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and GemFire VectorDB. Affected components: spring-ai-elasticsearch-store, spring-ai-opensearch-store, spring-ai-gemfire-store. Affected versions: Spring AI 1.0.0 through 1.0.x (fix 1.0.9). Spring AI 1.1.0 through 1.1.x (fix 1.1.8).
Source: NVD
References
Related CVEs
Same CWE
- CVE-2026-49482 — ClipBucket v5 is an open source video sharing platform (4.3 MEDIUM)
- CVE-2026-47181 — PenguinMod-BackendApi is the backend api for penguinmod
- CVE-2026-53674 — BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibilit... (7.1 HIGH)
- CVE-2026-41697 — Spring Data Relational does not properly escape binding values of externally-controlled input when using StringMatcher (STARTING, ENDING,... (4.8 MEDIUM)
- CVE-2026-41696 — Spring Data MongoDB repository query methods annotated with @Query that use regex parameter binding perform insufficient validation of th... (5.9 MEDIUM)