Spring discloses Spring AI injection flaw and Spring gRPC security context issues
Spring published three security advisories covering Spring AI and Spring gRPC, including CVE-2026-40967, a flaw in VectorStore FilterExpressionConverter implementations that can let attackers manipulate generated vector store queries because keys and values are not properly escaped. The issue affects Spring AI versions 1.0.0 through 1.0.5 and 1.1.0 through 1.1.4, and is fixed in 1.0.6 and 1.1.5. External vulnerability tracking describes the bug as a high-severity code or query injection risk with CVSS AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L and maps it to CWE-94.
Spring also disclosed two Spring gRPC vulnerabilities: CVE-2026-40968, in which SecurityContext data can leak across requests after an authorization failure, and CVE-2026-40969, where an AuthenticationException message may be reflected back to a remote client. Together, the advisories point to risks of query manipulation, cross-request security context exposure, and unintended error-message disclosure in applications built on affected Spring components.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CVE feed republishes technical details for CVE-2026-40967
A CVE tracking source summarized CVE-2026-40967 as an unvalidated filter expression converter vulnerability that can enable query manipulation through improper escaping. The entry reiterated affected and fixed Spring AI versions and linked the disclosure to Spring's advisory.
Spring discloses two Spring gRPC vulnerabilities
Spring published advisories for CVE-2026-40968 and CVE-2026-40969 affecting Spring gRPC. The flaws involve SecurityContext leakage across requests on authorization failure and reflection of AuthenticationException messages to remote clients.
Spring publishes advisory for CVE-2026-40967 in Spring AI
Spring disclosed CVE-2026-40967, a VectorStore FilterExpression Converter injection flaw in Spring AI. The issue affects versions 1.0.0 through 1.0.5 and 1.1.0 through 1.1.4, and Spring identified fixes in versions 1.0.6 and 1.1.5.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CVE-2026-40968: Spring gRPC SecurityContext leaks across requests on authorization failure
spring.io
Open sourceCVE-2026-40969: Spring gRPC AuthenticationException message reflected to remote client
spring.io
Open sourceCVE-2026-40967 - Spring AI Unvalidated Filter Expression Converter Vulnerability (Code Injection)
cvefeed.io
Open sourceCVE-2026-40967: VectorStore FilterExpression Converter injection
spring.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Spring Cloud Config and Spring AI Flaws Expose Systems to RCE and SSRF
The Canadian Centre for Cyber Security issued advisory **AV26-288** warning that multiple vulnerabilities disclosed by Spring affect **Spring Cloud Config** and **Spring AI**, including **server-side request forgery (SSRF)**, unintended file access, query injection, and a **SpEL injection** that can lead to **remote code execution (RCE)**. The notice says the issues were disclosed by Spring between March 23 and 26 and urged organizations to review the vendor advisories and assess exposure in affected deployments. Affected versions include **Spring Cloud Config** releases prior to **3.1.3**, **4.1.9**, **4.2.6**, **4.3.2**, and **5.0.2**, along with **Spring AI** versions prior to **1.0.5** and **1.1.4**. The Cyber Centre advised administrators and users to apply the relevant updates to reduce the risk of exploitation against exposed services and vulnerable application environments.
May 25, 2026
Spring patches LDAP auth bypass and multiple DoS flaws across Framework and Data
Spring disclosed a broad set of vulnerabilities across **Spring Framework**, **Spring Data Commons**, and **Spring LDAP**, including a high-severity authentication bypass tracked as `CVE-2026-41720`. The LDAP flaw allows login with a valid username and an empty or null password when the backing LDAP server permits unauthenticated binds, affecting authentication flows that use `AbstractContextSource`, `LdapTemplate`, or `LdapClient`. Spring also fixed a low-severity WebFlux session fixation issue (`CVE-2026-41839`) tied to compromised subdomains, and an information disclosure bug (`CVE-2026-41841`) in Spring MVC and WebFlux where shared static-resource caches could expose protected files if a public resource with the same name had already been cached. Several denial-of-service issues were patched at the same time. In Spring Framework, `CVE-2026-41840` can leak memory through malicious multipart requests in WebFlux, while `CVE-2026-41842` can tie up HTTP connections through slow resolution of versioned file-system resources in Spring MVC or WebFlux. In Spring Data Commons, `CVE-2026-41695`, `CVE-2026-41711`, `CVE-2026-41716`, and `CVE-2026-41721` can be triggered by attacker-controlled property paths, sort parameters, property names, or `@ProjectedPayload` data binding, leading to stack overflows, heap exhaustion, or excessive memory allocation when applications expose those inputs to untrusted users. Spring urged customers to upgrade to fixed releases, including Framework `7.0.8`, `6.2.19`, and `6.1.28`, Data Commons `4.0.6` and `3.5.12`, and LDAP `2.4.5`, `3.2.18`, `3.3.8`, or `4.0.4`, with some older branches receiving fixes only through commercial support.
Jun 11, 2026
Spring discloses deserialization flaws in Kafka header mappers and JMS converters
Spring disclosed two high-severity unsafe deserialization vulnerabilities affecting widely used messaging components: `CVE-2026-41731` in **Spring for Apache Kafka** and `CVE-2026-41855` in the **Spring Framework**. The Kafka issue stems from overly broad trusted-package matching in `JsonKafkaHeaderMapper` and the deprecated `DefaultKafkaHeaderMapper`, where prefix-based checks caused trust in a package to extend to all subpackages. Spring said a malicious producer could abuse crafted Kafka header values together with Jackson's default bean deserialization to make consumers instantiate arbitrary JDK classes, and assigned the flaw `CWE-502` with a `CVSS:3.1` vector of `AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H`. The related Spring Framework flaw affects Jackson-based JMS message converters in untrusted JMS environments, where deserialization of gadget classes can enable arbitrary class instantiation and unauthorized actions. Affected Kafka versions include `4.0.0`-`4.0.5`, `3.3.0`-`3.3.15`, `3.2.0`-`3.2.13`, `2.9.0`-`2.9.13`, and `2.8.0`-`2.8.11`, while Spring recommended upgrading Kafka deployments to fixed releases such as `4.0.6` and `3.3.16`, with commercial fixes for other branches. The JMS converter issue impacts Spring Framework `7.0.0`-`7.0.7`, `6.2.0`-`6.2.18`, `6.1.0`-`6.1.27`, and `5.3.0`-`5.3.48`, extending the exposure across multiple supported and legacy release lines.
Jun 10, 2026