PatchSiren cyber security CVE debrief

CVE-2026-47835 Spring CVE debrief

A high-severity vulnerability (CVSS Score: 8.6) was discovered in Spring AI Vector Stores. This issue allows special characters to be used to force the execution of arbitrary queries in Elasticsearch, OpenSearch, and GemFire VectorDB. The affected components include spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store. This vulnerability impacts Spring AI versions 1.0.0 through 1.0.x and 1.1.0 through 1.1.x, with fixes available in versions 1.0.9 and 1.1.8, respectively.

Vendor: Spring
Product: Spring AI
CVSS: HIGH 8.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-15
Original CVE updated: 2026-06-15
Advisory published: 2026-06-15
Advisory updated: 2026-06-15

Who should care

Users of Spring AI Vector Stores, particularly those utilizing Elasticsearch, OpenSearch, and GemFire VectorDB, should be aware of this vulnerability. It is recommended that they check their versions and apply the necessary patches to mitigate the risk.

Technical summary

The vulnerability arises from the improper handling of special characters in queries, which can lead to the execution of arbitrary queries. This could potentially allow attackers to manipulate data or gain unauthorized access to sensitive information.

Defensive priority

High

Recommended defensive actions

Update to Spring AI version 1.0.9 or 1.1.8, depending on the current version in use.
Review and restrict input to prevent the injection of special characters that could be used to execute arbitrary queries.

Evidence notes

The CVE record (see [cve-org]) and NVD detail (see [nvd]) provide official information on this vulnerability. Additional details can be found in the source reference (see [ref-4]).

Official resources

CVE-2026-47835 was published on 2026-06-15T20:16:28.840Z and has not been modified since its publication.