Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 45 maven packages depend on org.springframework.ai:spring-ai-vector-store (25 direct, 20 indirect)
Ecosystem-wide dependent count for version 1.1.0-M1.
DescriptionCVE.org
A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents.
This vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata.
The vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like ", ||, and && are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics.
AnalysisAI
Spring AI's AbstractFilterExpressionConverter fails to properly escape user-controlled input in JSONPath queries, allowing authenticated attackers to inject arbitrary expressions and bypass access controls in vector store implementations. This impacts applications relying on the converter for multi-tenant isolation, role-based access, or metadata-based document filtering, enabling attackers to access unauthorized documents. No patch is currently available.
Technical ContextAI
Spring AI is VMware's framework for building AI-powered applications in Java, specifically working with vector databases and large language models. The vulnerability affects the AbstractFilterExpressionConverter component used in vector store implementations, where applications leverage JSONPath expressions to filter documents based on metadata attributes. The root cause is improper neutralization of special elements used in commands (similar to injection flaws), where user-supplied values containing special characters like double quotes, logical OR (||), and logical AND (&&) operators are concatenated directly into JSONPath queries without sanitization or parameterization. This allows attackers to break out of the intended query structure and inject arbitrary JSONPath logic that can alter query semantics, particularly bypassing filters designed to enforce tenant boundaries or access controls based on document metadata in vector search operations.
RemediationAI
Upgrade VMware Spring AI to version 1.0.4 or later for the 1.0.x branch, or to version 1.1.3 or later for the 1.1.x branch as documented in the vendor advisory at https://spring.io/security/cve-2026-22729. Until patching is completed, implement compensating controls by validating and sanitizing all user-supplied input used in filter expressions before passing to FilterExpressionBuilder, specifically escaping or rejecting special JSONPath characters including double quotes, pipes (||), ampersands (&&), brackets, and other JSONPath operators. Organizations should also review their vector store implementations to ensure proper input validation is enforced at the application layer, consider implementing allowlists for permitted filter field names and values, and audit existing access control logic to verify it cannot be bypassed through query manipulation. For high-risk deployments, consider temporarily disabling user-controlled filter expressions in favor of server-side predetermined filters until patches can be applied.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12795
GHSA-rp9g-qx29-88cp