CVE-2026-41705 Overview
CVE-2026-41705 is a filter-expression injection vulnerability in the Spring AI MilvusVectorStore#doDelete(List) method. The implementation passes unsanitized document identifiers directly into a Milvus filter expression. Attackers who control document IDs supplied to the delete operation can manipulate the resulting expression and influence which vectors are removed from the store. The flaw affects Spring AI 1.0.x releases from 1.0.0 through the latest 1.0.x line, and Spring AI 1.1.x releases from 1.1.0 through the latest 1.1.x line. VMware addressed the issue in Spring AI 1.0.7 and 1.1.6. The vulnerability is categorized under [CWE-917], improper neutralization of special elements used in an expression language statement.
Critical Impact
Unauthenticated network-based attackers can inject filter expressions into the Milvus vector store, enabling unintended deletion of stored vectors and degradation of retrieval-augmented generation (RAG) integrity.
Affected Products
- VMware Spring AI 1.0.0 through latest 1.0.x (fixed in 1.0.7)
- VMware Spring AI 1.1.0 through latest 1.1.x (fixed in 1.1.6)
- Applications using MilvusVectorStore with externally influenced document IDs
Discovery Timeline
- 2026-05-09 - CVE-2026-41705 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-41705
Vulnerability Analysis
The vulnerability resides in MilvusVectorStore#doDelete(List<String> idList), the method Spring AI uses to remove embedded documents from a Milvus collection. Spring AI builds a Milvus filter expression by concatenating the supplied identifiers into a string that Milvus then evaluates server-side. Because the implementation does not escape or validate identifier values, characters that have meaning in the Milvus expression grammar pass through verbatim. An attacker who can influence the ID list, for example through an application endpoint that deletes documents by user-supplied keys, can break out of the intended id in [...] clause and append predicates that broaden the deletion scope.
The injection occurs in an expression language context rather than at the SQL or shell layer, which places it within the [CWE-917] category. The downstream impact depends on the calling application: integrity loss when arbitrary rows are deleted, and availability loss when entire RAG collections are wiped. Confidentiality impact arises because crafted expressions may also expose information about the structure of stored data through delete-by-filter side effects.
Root Cause
The root cause is the absence of input neutralization when constructing a Milvus filter expression from caller-supplied document IDs. The method trusts the identifier strings to be opaque values and concatenates them into the expression string without quoting or escaping the characters that Milvus treats as operators, delimiters, or boolean keywords.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction when the application exposes a delete-by-ID operation to remote clients. An attacker submits crafted identifier values containing Milvus expression syntax. When Spring AI assembles the filter and forwards it to Milvus, the injected predicates execute as part of the delete operation. No specific code example is published in the advisory. Refer to the Spring Security Advisory CVE-2026-41705 for vendor technical details.
Detection Methods for CVE-2026-41705
Indicators of Compromise
- Unexpected mass deletions of vectors or documents from Milvus collections backing Spring AI applications.
- Application logs containing document IDs with Milvus expression operators such as in, not in, &&, ||, ==, or unescaped quotes.
- Milvus server logs showing delete requests with filter expressions that exceed the structure produced by legitimate MilvusVectorStore calls.
Detection Strategies
- Inspect outbound Milvus filter expressions for predicates beyond the expected id in [...] pattern generated by doDelete.
- Audit application endpoints that accept document identifiers and trace whether values reach MilvusVectorStore#doDelete without server-side validation.
- Correlate spikes in Milvus delete volume with HTTP requests containing non-alphanumeric characters in identifier fields.
Monitoring Recommendations
- Log and alert on Milvus delete operations whose filter strings contain expression keywords or boolean operators.
- Track Spring AI dependency versions across services and flag any spring-ai-milvus-store artifact below 1.0.7 or 1.1.6.
- Capture and review application-level audit trails for delete requests originating from unauthenticated or low-privilege contexts.
How to Mitigate CVE-2026-41705
Immediate Actions Required
- Upgrade Spring AI to 1.0.7 or later on the 1.0.x branch, or 1.1.6 or later on the 1.1.x branch.
- Restrict delete-by-ID endpoints to authenticated callers with least privilege until the upgrade is deployed.
- Validate document identifiers against a strict allowlist of expected characters before invoking MilvusVectorStore APIs.
Patch Information
VMware fixed CVE-2026-41705 in Spring AI 1.0.7 and 1.1.6. The fix sanitizes document identifiers before they are incorporated into the Milvus filter expression generated by doDelete(List). Upgrade instructions and version metadata are available in the Spring Security Advisory CVE-2026-41705.
Workarounds
- Reject identifier values containing characters outside the expected ID format, for example UUIDs or numeric strings, at the application boundary.
- Wrap calls to MilvusVectorStore#doDelete with a validator that enforces a regex such as ^[A-Za-z0-9_-]+$ on each entry of the list.
- Limit network exposure of services that perform vector deletions and require authentication plus authorization checks tied to the document owner.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
