Skip to main content

LangChain4j CVE-2026-55405

| EUVDEUVD-2026-43027 HIGH
SQL Injection (CWE-89)
2026-06-17 https://github.com/langchain4j/langchain4j GHSA-2mfg-cc43-9pcj
7.6
CVSS 3.1 · Vendor: https://github.com/langchain4j/langchain4j
Share

Severity by source

Vendor (https://github.com/langchain4j/langchain4j) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
vuln.today AI
7.6 HIGH

Network-reachable through the application; low complexity; PR:L because the attacker must reach a filter-accepting endpoint; C:H for blind exfiltration, I:L/A:L for bounded row deletion and pg_sleep DoS.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/langchain4j/langchain4j).

CVSS VectorVendor: https://github.com/langchain4j/langchain4j

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 18, 2026 - 01:37 vuln.today
Analysis Generated
Jun 18, 2026 - 01:37 vuln.today
CVE Published
Jun 17, 2026 - 18:39 github-advisory
HIGH 7.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 maven packages depend on dev.langchain4j:langchain4j-pgvector (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 1.3.0-beta9.

DescriptionCVE.org

Summary

The MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating filter keys (and, in MariaDB, string values) directly into the query without adequate escaping. A crafted metadata key in EmbeddingSearchRequest.filter() can break out of its SQL context and inject arbitrary SQL into the statements executed by the stores' search and removeAll(Filter) operations.

Details

pgvector - JSON mode (default, COMBINED_JSON / COMBINED_JSONB). JSONFilterMapper places the key inside a single-quoted SQL literal (the JSON key of the ->> operator) with no escaping:

(metadata->>'<key>')::text

A key containing a single quote breaks out, e.g. metadataKey("')::text IS NOT NULL OR pg_sleep(1) IS NOT NULL --") injects a live pg_sleep(1) (observable as a delay; exploitable for blind data extraction).

pgvector - column mode (COLUMN_PER_KEY). ColumnFilterMapper used the key as a bare, unquoted, unvalidated SQL identifier (<key>::<type>), so a key such as 1=1 OR true -- injects directly.

MariaDB - JSON mode (default). JSONFilterMapper placed the key inside the JSON path literal '$.<key>' unescaped (same break-out mechanism). Additionally, MariaDbFilterMapper.formatValue() escaped ' but not \; because MariaDB treats backslash as an escape character by default, a string value ending in a backslash could also break out of its literal.

MariaDB - column mode (COLUMN_PER_KEY). ColumnFilterMapper fell back to the raw, unescaped key when the driver could not quote it as an identifier (e.g. a character).

The filter key is the runtime injection surface; both stores' search() (including pgvector's HYBRID mode) and removeAll(Filter) are affected. Add/upsert operations a parameterized and not affected.

Impact

Applications that allow attacker-influenced metadata filter keys (e.g. use LLM-generated filters) to reach these stores are exposed to SQL injection: blind data exfiltration, denial of service via sleep functions, and - through `remove deletion of arbitrary rows. Applications using only hard-coded, developer-defined filter keys are not reachable.

Patches

Fixed in langchain4j-mariadb and langchain4j-pgvector 1.16.3-beta26:

  • JSON filter keys are escaped before being embedded in the SQL string lit

quotes doubled, correct for PostgreSQL standard_conforming_strings = on; MariaDB: backslash and single quote).

  • MariaDB string values escape both \ and '.
  • Column-mode keys are validated/quoted as identifiers and rejected when u

concatenated as raw SQL.

Workarounds

  • Do not pass untrusted input as metadata filter keys.
  • Restrict filter keys to a known allow-list at the application layer.

References

  • pgvector: JSONFilterMapper, ColumnFilterMapper
  • MariaDB: JSONFilterMapper, MariaDbFilterMapper, ColumnFilterMapper

AnalysisAI

SQL injection in LangChain4j's langchain4j-mariadb and langchain4j-pgvector embedding stores allows authenticated attackers who can influence metadata filter keys to execute arbitrary SQL via EmbeddingSearchRequest.filter(), enabling blind data exfiltration, denial of service through sleep functions, and deletion of arbitrary rows via removeAll(Filter). The flaw stems from string-concatenated filter keys (and MariaDB string values) being placed into SQL without escaping, and is particularly relevant where filter keys originate from LLM-generated output or untrusted user input. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify app exposing LLM-driven vector search
Delivery
Craft prompt yielding malicious filter key
Exploit
Submit via EmbeddingSearchRequest.filter()
Execution
Break out of JSON key literal in generated SQL
Persist
Trigger pg_sleep or boolean payload in search()
Impact
Iteratively exfiltrate data or delete rows via removeAll

Vulnerability AssessmentAI

Exploitation The application must call EmbeddingSearchRequest.filter() (or removeAll(Filter)) using either langchain4j-pgvector or langchain4j-mariadb at a vulnerable version, AND the filter key string must be derived from attacker-influenced input - most commonly LLM-generated filters from a tool/agent pipeline, but also any user-supplied metadata key passed through without an allow-list. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L (7.6 High) reflects network reachability through whatever application surface forwards user input into a metadata filter, low complexity, and a requirement that the attacker has some way to influence filter keys (PR:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application exposes a chat or agent endpoint that translates user requests into vector-store metadata filters via an LLM and forwards the generated key into LangChain4j's pgvector embedding store. The attacker submits a prompt that induces the LLM (or directly supplies, via a tool-call argument) a metadata key such as `')::text IS NOT NULL OR pg_sleep(5) IS NOT NULL --`, which breaks out of the JSON key literal and is executed by search(); the attacker then iteratively uses boolean/time-based payloads to exfiltrate row data, or injects a payload through removeAll(Filter) to delete arbitrary embeddings. …
Remediation Vendor-released patch: upgrade langchain4j-mariadb and langchain4j-pgvector to 1.16.3-beta26 (or the matching branch fix: 1.2.1-beta8, 1.5.1-beta11, or 1.11.8-beta19 if pinned to an older line) per https://github.com/langchain4j/langchain4j/security/advisories/GHSA-2mfg-cc43-9pcj, which escapes JSON filter keys (doubled single quotes for PostgreSQL with standard_conforming_strings=on; backslash and single quote for MariaDB), escapes both backslash and single quote in MariaDB string values, and validates or quotes column-mode keys as identifiers rather than concatenating them as raw SQL. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all applications using langchain4j-mariadb or langchain4j-pgvector and document their exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

CVE-2026-55405 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy