Full Report
Spring security advisory (AV26-443)
Analysis Summary
# Vulnerability: Multiple Security Flaws in Spring AI (May 2026 Advisory)
## CVE Details
- **CVE ID:** CVE-2026-41705, CVE-2026-41713, CVE-2026-41712
- **CVSS Score:** Not explicitly listed in source (Typically High for Expression Injection/Data Leakage)
- **CWE:**
- CVE-2026-41705: CWE-917 (Expression Language Injection)
- CVE-2026-41713: CWE-506 (Malicious Code / Prompt Injection)
- CVE-2026-41712: CWE-200 (Information Exposure)
## Affected Systems
- **Products:** Spring AI
- **Versions:**
- 1.0.x versions prior to 1.0.7
- 1.1.x versions prior to 1.1.6
- **Configurations:**
- Use of `MilvusVectorStore` for CVE-2026-41705.
- Use of `PromptChatMemoryAdvisor` for CVE-2026-41713.
- Use of default `ChatMemory` conversation IDs for CVE-2026-41712.
## Vulnerability Description
This advisory covers three distinct security flaws within the Spring AI framework:
1. **Expression Injection (CVE-2026-41705):** A flaw in the `doDelete` method of `MilvusVectorStore` allows an attacker to inject expressions. This can lead to unauthorized data destruction within the Milvus vector database.
2. **Prompt Injection/Memory Poisoning (CVE-2026-41713):** A vulnerability in `PromptChatMemoryAdvisor` where malicious input can poison the chat memory, potentially leading to unauthorized model behavior or data extraction.
3. **Cross-User Data Leakage (CVE-2026-41712):** Applications using the `DEFAULT_CONVERSATION_ID` in `ChatMemory` may fail to properly isolate user sessions, leading to unintended information exposure across different users.
## Exploitation
- **Status:** Not explicitly stated as exploited in the wild; PoC status unknown.
- **Complexity:** Medium (Requires specific implementation of affected AI components).
- **Attack Vector:** Network.
## Impact
- **Confidentiality:** High (Data leakage via `ChatMemory`).
- **Integrity:** High (Memory poisoning and AI manipulation).
- **Availability:** High (Data destruction via Expression Injection).
## Remediation
### Patches
Users should upgrade to the following versions immediately:
- **Spring AI 1.0.7** (for 1.0.x users)
- **Spring AI 1.1.6** (for 1.1.x users)
### Workarounds
- **For CVE-2026-41712:** Explicitly define unique, non-default Conversation IDs for every user session rather than relying on the `DEFAULT_CONVERSATION_ID`.
- **General:** Sanitize inputs before passing them to the VectorStore or Memory Advisor components until patches can be applied.
## Detection
- **Indicators of Compromise:** Unusual deletion patterns in Milvus databases; AI responses containing data from other users' sessions.
- **Detection Methods:** Review application logs for unexpected SpEL (Spring Expression Language) patterns in database queries and verify that `ChatMemory` implementations are using unique session identifiers.
## References
- [Spring Security Advisory CVE-2026-41705] hxxps[://]spring[.]io/security/cve-2026-41705
- [Spring Security Advisory CVE-2026-41713] hxxps[://]spring[.]io/security/cve-2026-41713
- [Spring Security Advisory CVE-2026-41712] hxxps[://]spring[.]io/security/cve-2026-41712
- [Canadian Centre for Cyber Security Bulletin] hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/spring-security-advisory-av26-443