GHSA-v632-2m87-7469

Source

https://github.com/advisories/GHSA-v632-2m87-7469

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-v632-2m87-7469/GHSA-v632-2m87-7469.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v632-2m87-7469

Aliases

CVE-2026-41705

Published

2026-05-09T03:31:21Z

Modified

2026-05-14T13:25:54.522151Z

Severity

8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator

Summary

Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs

Details

Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs. Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater.

Database specific

{
    "nvd_published_at": "2026-05-09T01:16:08Z",
    "cwe_ids": [
        "CWE-917"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T13:10:18Z"
}

References

Affected packages

Maven

org.springframework.ai:spring-ai-milvus-store

Package

Name: org.springframework.ai:spring-ai-milvus-store; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.ai/spring-ai-milvus-store

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.0.7

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-v632-2m87-7469/GHSA-v632-2m87-7469.json"

org.springframework.ai:spring-ai-milvus-store

Package

Name: org.springframework.ai:spring-ai-milvus-store; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.ai/spring-ai-milvus-store

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.1.0

Fixed

1.1.6

Affected versions

1.*

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-v632-2m87-7469/GHSA-v632-2m87-7469.json"

org.springframework.ai:spring-ai-typesense-store

Package

Name: org.springframework.ai:spring-ai-typesense-store; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.ai/spring-ai-typesense-store

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.0.7

Affected versions

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-v632-2m87-7469/GHSA-v632-2m87-7469.json"

org.springframework.ai:spring-ai-typesense-store

Package

Name: org.springframework.ai:spring-ai-typesense-store; View open source insights on deps.dev
Purl: pkg:maven/org.springframework.ai/spring-ai-typesense-store

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.1.0

Fixed

1.1.6

Affected versions

1.*

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-v632-2m87-7469/GHSA-v632-2m87-7469.json"