How to Fix CVE-2026-40978: Spring AI (Bundle Sibling)
By Sai Kiran Pandrala
Last verified: 2026-05-25
CVE-2026-40978 is a sibling vulnerability in the same vendor advisory as CVE-2026-40967. Applying the patched build named in the primary write-up closes this CVE as well.
| Severity | CVSS 8.8 - High |
|---|---|
| Actively exploited? | Not currently in CISA KEV |
| Affected | Same as the bundle - see CVE-2026-40967 |
| Fixed in | Same patched build as CVE-2026-40967 (See vendor advisory) |
| Type (CWE) | CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
What's different about CVE-2026-40978?
SQL injection vulnerability in Spring AI's CosmosDBVectorStore allows attackers to execute arbitrary SQL queries via crafted document IDs.
Affected versions:
Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
The technical impact and remediation are identical to the primary CVE in the bundle. The same vendor patch closes both.
How to fix CVE-2026-40978
Apply the patched build per the primary write-up: How to Fix CVE-2026-40967.
The patch installation procedure, verification commands, and interim mitigations are documented there. Reusing one runbook keeps the rollout consistent across the bundle.
Frequently asked questions
Is CVE-2026-40978 fixed by the same patch as CVE-2026-40967?
Yes. CVE-2026-40978 ships in the same vendor advisory as CVE-2026-40967. Applying the patched build named in the primary write-up closes both.
What is the CVSS score for CVE-2026-40978?
The CVSS base score is 8.8 (High).
Is it being exploited?
It is not currently listed in CISA KEV.
References
- Official vendor advisory: https://spring.io/security/cve-2026-40978
- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2026-40978
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Primary write-up: How to Fix CVE-2026-40967
*Part of the Spring AI bundle. Full procedure at CVE-2026-40967.*