What happened
The spring-ai-elasticsearch-store, spring-ai-opensearch-store, and spring-ai-gemfire-store components in Spring AI 1.0.0 and later do not properly escape or sanitize special characters in metadata filter expressions before passing them to the underlying vector database query engine. This allows injection of arbitrary query logic, analogous to SQL injection but targeting vector search backends. Published June 15, 2026 with CVSS 8.6 HIGH by VMware/Broadcom's Spring security team.
Why it matters
Vector stores are the authoritative knowledge base for RAG-powered LLM applications. An injection attack against the vector store layer allows an attacker to exfiltrate all embedded documents (including proprietary business data, PII, or credentials), corrupt the retrieval results to manipulate LLM responses (indirect prompt injection at scale), or deny service by forcing expensive queries. Because Spring AI is the dominant Java-ecosystem path to building enterprise RAG systems, this affects a large population of production AI deployments.
Attack vector
An attacker supplies specially crafted special characters in metadata filter parameters passed to the affected Spring AI vector store components. These characters break out of the intended query context and force execution of arbitrary backend queries against Elasticsearch, OpenSearch, or GemFire VectorDB — enabling data exfiltration, cross-tenant data access, or manipulation of the RAG knowledge base used by the LLM.
Affected systems
Spring AI 1.0.0 through 1.0.x (spring-ai-elasticsearch-store, spring-ai-opensearch-store, spring-ai-gemfire-store)
Mitigation
Apply the Spring AI patch that sanitizes special characters in metadata filter inputs for the affected vector store modules. See the official advisory: https://spring.io/security/cve-2026-47835