Skip to main content

Java EUVDEUVD-2026-12795

| CVE-2026-22729 HIGH
Improper Neutralization of Special Elements used in an Expression Language Statement (CWE-917)
2026-03-18 vmware GHSA-rp9g-qx29-88cp
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 18, 2026 - 08:00 euvd
EUVD-2026-12795
Analysis Generated
Mar 18, 2026 - 08:00 vuln.today
CVE Published
Mar 18, 2026 - 07:39 nvd
HIGH 8.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 45 maven packages depend on org.springframework.ai:spring-ai-vector-store (25 direct, 20 indirect)

Ecosystem-wide dependent count for version 1.1.0-M1.

DescriptionCVE.org

A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents.

This vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata.

The vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like ", ||, and && are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics.

AnalysisAI

Spring AI's AbstractFilterExpressionConverter fails to properly escape user-controlled input in JSONPath queries, allowing authenticated attackers to inject arbitrary expressions and bypass access controls in vector store implementations. This impacts applications relying on the converter for multi-tenant isolation, role-based access, or metadata-based document filtering, enabling attackers to access unauthorized documents. No patch is currently available.

Technical ContextAI

Spring AI is VMware's framework for building AI-powered applications in Java, specifically working with vector databases and large language models. The vulnerability affects the AbstractFilterExpressionConverter component used in vector store implementations, where applications leverage JSONPath expressions to filter documents based on metadata attributes. The root cause is improper neutralization of special elements used in commands (similar to injection flaws), where user-supplied values containing special characters like double quotes, logical OR (||), and logical AND (&&) operators are concatenated directly into JSONPath queries without sanitization or parameterization. This allows attackers to break out of the intended query structure and inject arbitrary JSONPath logic that can alter query semantics, particularly bypassing filters designed to enforce tenant boundaries or access controls based on document metadata in vector search operations.

RemediationAI

Upgrade VMware Spring AI to version 1.0.4 or later for the 1.0.x branch, or to version 1.1.3 or later for the 1.1.x branch as documented in the vendor advisory at https://spring.io/security/cve-2026-22729. Until patching is completed, implement compensating controls by validating and sanitizing all user-supplied input used in filter expressions before passing to FilterExpressionBuilder, specifically escaping or rejecting special JSONPath characters including double quotes, pipes (||), ampersands (&&), brackets, and other JSONPath operators. Organizations should also review their vector store implementations to ensure proper input validation is enforced at the application layer, consider implementing allowlists for permitted filter field names and values, and audit existing access control logic to verify it cannot be bypassed through query manipulation. For high-risk deployments, consider temporarily disabling user-controlled filter expressions in favor of server-side predetermined filters until patches can be applied.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

EUVD-2026-12795 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy