Skip to main content

Java CVE-2026-22744

| EUVDEUVD-2026-16541 HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-03-27 vmware GHSA-44f4-gvwj-6qg3
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Re-analysis Queued
Apr 16, 2026 - 20:37 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 06:00 euvd
EUVD-2026-16541
Analysis Generated
Mar 27, 2026 - 06:00 vuln.today
CVE Published
Mar 27, 2026 - 05:38 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 maven packages depend on org.springframework.ai:spring-ai-redis-store (1 direct, 1 indirect)

Ecosystem-wide dependent count for version 1.0.0-M5.

DescriptionCVE.org

In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field, stringValue() inserts the value directly into the @field:{VALUE} RediSearch TAG block without escaping characters.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

AnalysisAI

Spring AI Redis vector store implementations expose sensitive data through unescaped TAG field filter injection in versions 1.0.0-1.0.4 and 1.1.0-1.1.3. Unauthenticated remote attackers can craft malicious filter expressions that bypass query boundaries in RediSearch TAG blocks, allowing extraction of unauthorized information from the vector database (CVSS 7.5 High, C:H). No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit given its low attack complexity (AC:L).

Technical ContextAI

The vulnerability resides in RedisFilterExpressionConverter within spring-ai-redis-store, which provides vector storage capabilities for Spring AI applications using Redis as a backend. According to CPE data (cpe:2.3:a:spring:spring_ai), the affected product is Spring AI's Redis integration module. When processing filter expressions for TAG field queries, the stringValue() method constructs RediSearch query syntax by directly concatenating user input into @field:{VALUE} patterns without sanitizing metacharacters that have special meaning in RediSearch's TAG query language. This allows attackers to break out of the intended TAG block context and manipulate query logic, potentially accessing data from other tags or fields. The vulnerability represents an injection class flaw similar to SQL injection but targeting RediSearch's query syntax.

RemediationAI

Upgrade Spring AI to version 1.0.5 or later for the 1.0.x release line, or to version 1.1.4 or later for the 1.1.x release line, as documented in the vendor advisory at https://spring.io/security/cve-2026-22744. These patched versions implement proper escaping of special characters in RediSearch TAG filter expressions. Until upgrading is feasible, implement strict input validation and sanitization for all user-controlled values passed to Redis filter expressions, specifically blocking or escaping RediSearch metacharacters including braces, pipes, parentheses, and backslashes. Consider restricting vector store query capabilities to internal services only and avoid exposing filter construction to untrusted user input. Review application logs for anomalous TAG filter patterns that may indicate exploitation attempts targeting Redis query syntax.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-22744 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy