CVE-2026-40979
Published Apr 28, 2026
·Updated
In Spring AI, having access to a shared environment can expose the ONNX model used by the application. Affected versions: Spring AI: 1.0.0 - 1.0.5 (fixed in 1.0.6), 1.1.0 - 1.1.4 (fixed in 1.1.5)
Affected Software
3 affected components
Spring Spring AI>=1.0.0<=1.0.5, >=1.1.0<=1.1.4
VMware Spring Ai>=1.0.0<1.0.6
VMware Spring Ai>=1.1.0<1.1.5
Event History
Apr 28, 2026
CVE Published
via MITRE·07:31 AM
Data Sourced
via MITRE·07:31 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·09:16 AM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-40979?
CVE-2026-40979 has a medium severity rating due to the potential exposure of sensitive ONNX models.
2
How do I fix CVE-2026-40979?
To mitigate CVE-2026-40979, upgrade Spring AI to version 1.0.6 or later, or 1.1.5 or later.
3
Which versions of Spring AI are affected by CVE-2026-40979?
CVE-2026-40979 affects Spring AI versions 1.0.0 to 1.0.5 and 1.1.0 to 1.1.4.
4
What type of vulnerability is CVE-2026-40979?
CVE-2026-40979 is an exposure vulnerability that can compromise the confidentiality of model data in shared environments.
5
Is there a workaround for CVE-2026-40979 if I cannot upgrade?
There are no known workarounds for CVE-2026-40979; upgrading to the fixed versions is strongly recommended.