Critical Spring AI Flaws Expose Databases to SQL and JSONPath Injection

Security researchers have issued a dual-threat alert for developers utilizing the Spring AI framework, a popular tool for integrating Artificial Intelligence into Java applications. Two high-severity vulnerabilities have been identified that could allow attackers to bypass metadata-based access controls and execute unauthorized commands.

The flaws target the core of how Spring AI handles data filtering and database interactions, specifically impacting JSONPath and MariaDB integrations.

The first vulnerability, tracked as CVE-2026-22729 (CVSS 8.6), affects Spring AI’s AbstractFilterExpressionConverter within its Vector Store implementations. Researchers discovered that user-controlled input passed to the FilterExpressionBuilder is concatenated into queries without proper escaping.

As the security advisory warns:

“User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents“.

By injecting special characters like || or &&, an authenticated attacker can alter the intended query semantics. This is particularly dangerous for applications relying on these stores for multi-tenant isolation or role-based access control, as it could lead to the exposure of sensitive documents belonging to other users.

The second, and even more severe flaw, is CVE-2026-22730 (CVSS 8.8). This critical SQL injection vulnerability resides in the MariaDBFilterExpressionConverter.

Similar to the JSONPath issue, this vulnerability exists due to a “missing input sanitization” when converting filter expressions into database queries.

“A critical SQL injection vulnerability in Spring AI’s MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands”.

Attackers could potentially read, modify, or delete entire databases, moving far beyond simple document filtering.

Both vulnerabilities impact Spring AI versions 1.0.0 through 1.1.x. Organizations utilizing these versions for document filtering based on metadata are at the highest risk.

The Spring team has moved quickly to release patches. Developers are urged to upgrade to the corresponding fixed versions immediately:

• For 1.0.x users: Upgrade to version 1.0.4.
• For 1.1.x users: Upgrade to version 1.1.3.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.