Technical description
Spring AI's MilvusVectorStore doDelete method is vulnerable to filter-expression injection via unsanitized document IDs. Attackers can craft malicious ID values that are embedded directly into Milvus filter expressions rather than parameterized, allowing arbitrary filter logic to execute during delete operations in vector databases used for RAG and agentic AI memory systems.
Attack vector
An attacker with the ability to control document IDs passed to the MilvusVectorStore delete operation can inject arbitrary filter expressions. Because document IDs are concatenated into filter strings rather than passed as bound parameters, a crafted ID can break out of the intended filter context and delete or manipulate unintended vector records. This is directly exploitable in applications where user input or external data influences document identifiers used in vector store operations.
Affected systems
Spring AI 1.0.0 through latest 1.0.x (prior to 1.0.7) and Spring AI 1.1.0 through latest 1.1.x (prior to 1.1.6). Affects deployments using Milvus as a vector store backend for retrieval-augmented generation, agentic memory, or semantic search applications.
Mitigation
Upgrade Spring AI to version 1.0.7 or greater for the 1.0.x branch, or to version 1.1.6 or greater for the 1.1.x branch. Review application code to ensure that document IDs used in vector store delete operations are validated and do not originate from untrusted input without sanitization. Implement least-privilege access controls on Milvus instances to limit blast radius if filter injection occurs.