Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5Blast Radius
ecosystem impact- 2 maven packages depend on org.springframework.ai:spring-ai-redis-store (1 direct, 1 indirect)
Ecosystem-wide dependent count for version 1.0.0-M5.
DescriptionCVE.org
In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field, stringValue() inserts the value directly into the @field:{VALUE} RediSearch TAG block without escaping characters.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
AnalysisAI
Spring AI Redis vector store implementations expose sensitive data through unescaped TAG field filter injection in versions 1.0.0-1.0.4 and 1.1.0-1.1.3. Unauthenticated remote attackers can craft malicious filter expressions that bypass query boundaries in RediSearch TAG blocks, allowing extraction of unauthorized information from the vector database (CVSS 7.5 High, C:H). No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit given its low attack complexity (AC:L).
Technical ContextAI
The vulnerability resides in RedisFilterExpressionConverter within spring-ai-redis-store, which provides vector storage capabilities for Spring AI applications using Redis as a backend. According to CPE data (cpe:2.3:a:spring:spring_ai), the affected product is Spring AI's Redis integration module. When processing filter expressions for TAG field queries, the stringValue() method constructs RediSearch query syntax by directly concatenating user input into @field:{VALUE} patterns without sanitizing metacharacters that have special meaning in RediSearch's TAG query language. This allows attackers to break out of the intended TAG block context and manipulate query logic, potentially accessing data from other tags or fields. The vulnerability represents an injection class flaw similar to SQL injection but targeting RediSearch's query syntax.
RemediationAI
Upgrade Spring AI to version 1.0.5 or later for the 1.0.x release line, or to version 1.1.4 or later for the 1.1.x release line, as documented in the vendor advisory at https://spring.io/security/cve-2026-22744. These patched versions implement proper escaping of special characters in RediSearch TAG filter expressions. Until upgrading is feasible, implement strict input validation and sanitization for all user-controlled values passed to Redis filter expressions, specifically blocking or escaping RediSearch metacharacters including braces, pipes, parentheses, and backslashes. Consider restricting vector store query capabilities to internal services only and avoid exposing filter construction to untrusted user input. Review application logs for anomalous TAG filter patterns that may indicate exploitation attempts targeting Redis query syntax.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16541
GHSA-44f4-gvwj-6qg3