Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN636
_____________________________________________________________________

DATE                : 15/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Spring AI versions prior to
                                        1.0.9, 1.1.8.

=====================================================================
https://spring.io/security/cve-2026-47835/
_____________________________________________________________________

CVE-2026-47835: Spring AI vector store metadata filtering to handle
special characters in Elasticsearch, OpenSearch, and GemFire Vector
Stores

HIGH | JUNE 12, 2026 | CVE-2026-47835


Description

In Spring AI Vector Stores, special characters could be used to force
the execution of arbitrary queries in Elasticsearch, OpenSearch, and
GemFire VectorDB.


Affected Spring Products and Versions

Spring AI:

    1.0.0 - 1.0.x
    1.1.0 - 1.1.x


Affected components:

    spring-ai-elasticsearch-store
    spring-ai-opensearch-store
    spring-ai-gemfire-store


Mitigation

Users of affected versions should upgrade to the corresponding fixed
version.

Affected version(s) 	Fix version 	Availability
1.0.x 	1.0.9 	OSS
1.1.x 	1.1.8 	OSS

No further mitigation steps are necessary.


Credit

The issue was reported responsibly by Nitro Cao (@NitroCao) from
Alibaba Cloud.


References

    https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L&version=3.1

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================