Spring AI Vector Store Filter Injection — JSONPath and SQL Injection Bypass Multi-Tenant Access Controls

1. Executive Summary

Two high-severity injection vulnerabilities in Spring AI's vector store filter expression layer allow attackers to bypass metadata-based access controls used for multi-tenant isolation. CVE-2026-22729 (CNA-submitted CVSS 8.6 HIGH) enables JSONPath injection in AbstractFilterExpressionConverter, and CVE-2026-22730 (CNA-submitted CVSS 8.8 HIGH) enables SQL injection in MariaDBFilterExpressionConverter (NVD). Both were published on 18 March 2026 and remain in "Awaiting Analysis" status at NVD (NVD). Exploitation of CVE-2026-22730 requires low-privilege access (NVD); CVE-2026-22729's authentication requirement is ambiguous due to a discrepancy between its NVD description ("authenticated users") and CNA-submitted CVSS vector (PR:N) (NVD).

Organisations deploying Spring AI vector stores with metadata-based filtering for tenant isolation, role-based access control, or document-level permissions should upgrade to Spring AI 1.0.4 or 1.1.3, which contain fixes for both vulnerabilities (GHSA-rp9g-qx29-88cp, GHSA-c267-rfvc-mvpm).

2. Risk Rating

CVSS Detail

Both CVSS scores are CNA-submitted by VMware (security@vmware.com) and classified as "Secondary" in the NVD response. NVD has not completed its own analysis for either CVE (NVD status: Awaiting Analysis as of 2026-03-22).

CVE-2026-22729: Base Score 8.6 HIGH — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N (CNA: VMware, Secondary) (NVD)

CVE-2026-22730: Base Score 8.8 HIGH — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (CNA: VMware, Secondary) (NVD)

Authentication Discrepancy — CVE-2026-22729

The NVD description for CVE-2026-22729 states the vulnerability "permits authenticated users to circumvent metadata-based access controls" (NVD). However, the CNA-submitted CVSS vector specifies PR:N (no privileges required) (NVD). These statements are contradictory: the description implies at least application-level authentication, while the vector indicates no privileges are needed. This discrepancy originates from VMware's CNA submission and has not been resolved by NVD analysis. The authentication requirement is unresolved; exploitation requires the ability to submit filter expressions to a vector store query endpoint (RAXE assessment).

3. Affected Products

Vendor: VMware / Broadcom. Version ranges sourced from GitHub Security Advisories (GHSA-rp9g-qx29-88cp, GHSA-c267-rfvc-mvpm) and confirmed by Spring.io security advisories. NVD CPE data is not yet populated (status: Awaiting Analysis) (NVD).

Am I Affected?

• Check if your application uses Spring AI's vector store functionality with filter expressions
• Check if user-controlled input is passed to FilterExpressionBuilder or vector store query methods (RAXE assessment)
• Check if your deployment uses metadata-based filtering for multi-tenant isolation or role-based access control (NVD)
• Specifically check for use of MariaDB as a vector store backend (CVE-2026-22730) (NVD)

4. Abstract

Two injection vulnerabilities in Spring AI's filter expression converter layer enable bypass of metadata-based access controls in vector store implementations. CVE-2026-22729 (CWE-917) allows JSONPath injection via unsanitised special characters in AbstractFilterExpressionConverter, enabling unauthorised read access to documents across tenant boundaries with Changed scope (NVD). CVE-2026-22730 (CWE-89) allows SQL injection via unsanitised input in MariaDBFilterExpressionConverter, enabling arbitrary SQL command execution with full confidentiality, integrity, and availability impact (NVD). Both vulnerabilities target the same architectural layer — the filter expression converter that translates user-facing queries into backend query languages — representing a systemic input sanitisation failure in Spring AI's access control mechanism (RAXE assessment).

5. Key Findings

1. JSONPath injection in AbstractFilterExpressionConverter — User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping; special characters including ", ||, and && are passed through unescaped (NVD).

2. SQL injection in MariaDBFilterExpressionConverter — Missing input sanitisation allows arbitrary SQL command execution via filter expressions targeting MariaDB vector store backends (NVD).

3. Metadata-based access control bypass — Both vulnerabilities enable circumvention of the filter expression layer used for multi-tenant isolation, role-based access control, and document-level permissions in Spring AI vector stores (NVD).

4. Systemic root cause — The shared root cause is insufficient input sanitisation in the filter expression converter layer, suggesting other backend-specific converter implementations may be similarly affected (RAXE assessment).

5. NVD analysis pending — Both CVEs are in "Awaiting Analysis" status; CVSS scores are CNA-submitted by VMware and have not undergone independent NVD analysis (NVD). Affected and fixed versions are confirmed via GitHub Security Advisories: patches available in Spring AI 1.0.4 and 1.1.3 (GHSA-rp9g-qx29-88cp, GHSA-c267-rfvc-mvpm).

6. Attack Flow

CVE-2026-22729 — JSONPath Injection:

  Attacker (auth unresolved)      Spring AI Application              Vector Store (PgVector/etc.)
       |                                |                                    |
       |  1. Submit filter query with   |                                    |
       |     injected JSONPath chars    |                                    |
       |  (", ||, &&)                   |                                    |
       |------------------------------->|                                    |
       |                                |  2. FilterExpressionBuilder        |
       |                                |     concatenates input into        |
       |                                |     JSONPath without escaping      |
       |                                |     (NVD)                          |
       |                                |----------------------------------->|
       |                                |                                    |  3. Injected JSONPath
       |                                |                                    |     alters query semantics
       |                                |                                    |     (NVD)
       |                                |<-----------------------------------|
       |                                |  4. Returns documents from         |
       |  5. Receives cross-tenant      |     other tenants/roles            |
       |     documents                  |                                    |
       |<-------------------------------|                                    |

CVE-2026-22730 — SQL Injection:

  Low-Privilege User              Spring AI Application              MariaDB Backend
       |                                |                                    |
       |  1. Submit filter query with   |                                    |
       |     SQL injection payload      |                                    |
       |------------------------------->|                                    |
       |                                |  2. MariaDBFilterExpression-       |
       |                                |     Converter processes input      |
       |                                |     without sanitisation (NVD)     |
       |                                |----------------------------------->|
       |                                |                                    |  3. Arbitrary SQL
       |                                |                                    |     executes (NVD)
       |                                |<-----------------------------------|
       |  4. Data exfiltration,         |                                    |
       |     modification, or DoS       |                                    |
       |<-------------------------------|                                    |

All steps in these diagrams are derived from the NVD advisory descriptions except where marked (RAXE assessment).

7. Technical Details

CVE-2026-22729 — JSONPath Injection (CWE-917)

The vulnerability resides in Spring AI's AbstractFilterExpressionConverter, a base class that converts user-facing filter expressions into backend-specific query languages (NVD). User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping (NVD). The NVD description identifies specific injectable characters: ", ||, and && — these are passed through unescaped, enabling injection of arbitrary JSONPath logic that alters the intended query semantics (NVD).

The CNA-submitted CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) indicates Changed scope with HIGH confidentiality impact and no integrity or availability impact (NVD). The Changed scope designation means the attacker can access resources beyond the vulnerable component's authorisation boundary, which the NVD description confirms: the vulnerability affects "multi-tenant isolation, role-based access control, or document filtering based on metadata" (NVD).

CVE-2026-22730 — SQL Injection (CWE-89)

MariaDBFilterExpressionConverter, a backend-specific implementation of the filter expression converter, fails to sanitise user input before incorporating it into SQL queries (NVD). This allows attackers with low-privilege access (PR:L) to execute arbitrary SQL commands against the MariaDB backend (NVD).

The CNA-submitted CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates full confidentiality, integrity, and availability impact within the vulnerable component's scope, consistent with the NVD description's statement that the vulnerability "allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands" (NVD).

Shared Architectural Weakness

Both vulnerabilities share the same root cause: user-controlled input in filter expressions is concatenated into backend queries without proper escaping or sanitisation (NVD). CVE-2026-22729 affects AbstractFilterExpressionConverter, described by the NVD advisory as a component used "for multi-tenant isolation, role-based access control, or document filtering based on metadata" (NVD). CVE-2026-22730 affects MariaDBFilterExpressionConverter, a database-specific implementation (NVD). The GHSA advisories confirm the affected packages are spring-ai-vector-store and spring-ai-mariadb-store respectively (GHSA-rp9g-qx29-88cp, GHSA-c267-rfvc-mvpm). This suggests that the filter expression converter hierarchy may have other backend-specific implementations with similar input sanitisation gaps, though this has not been confirmed (RAXE assessment).

8. Confidence & Validation

Assessment Confidence: High

EPSS Scores (2026-03-21): - CVE-2026-22729: 0.00051 (15.88th percentile) (FIRST.org EPSS) - CVE-2026-22730: 0.00016 (3.47th percentile) (FIRST.org EPSS)

9. Detection Signatures

Detection Limitations and Prerequisites

These detection rules require application-level logging of HTTP request parameters or vector store query inputs. Spring AI does not produce a standardised log format for filter expressions by default (RAXE assessment). Rules 1-3 are field-mapped Sigma templates, not drop-in rules: they use normalised fields (cs-uri-query, cs-uri, message, level) that require per-platform field mapping to the target log source before deployment. Rule 4 is a YARA posture rule for compiled Java artefacts that detects component presence, not vulnerable versions.

Sigma — JSONPath Injection Attempt (Delivery Telemetry)

title: Spring AI Vector Store JSONPath Injection Attempt
id: raxe-2026-041-sigma-01
status: experimental
description: >
  Detects potential JSONPath injection in Spring AI vector store filter expressions.
  CVE-2026-22729 allows injection of arbitrary JSONPath logic via unescaped special
  characters in filter input passed to AbstractFilterExpressionConverter (NVD).
  Classification: Delivery telemetry — may match legitimate filter usage.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-22729
  - https://spring.io/security/cve-2026-22729
author: RAXE Labs
date: 2026-03-22
tags:
  - attack.initial-access
  - cve.2026-22729
  - cwe.917
logsource:
  category: webserver
  product: spring
detection:
  selection_jsonpath_operators:
    cs-uri-query|contains:
      - '||'
      - '&&'
      - '$['
      - '$.'
  selection_filter_context:
    cs-uri|contains:
      - '/search'
      - '/query'
      - '/similarity'
      - '/filter'
  condition: selection_jsonpath_operators and selection_filter_context
falsepositives:
  - Legitimate use of JSONPath operators in filter expressions
  - Application-specific query endpoints that accept complex filter syntax
level: medium

Sigma — SQL Injection Attempt (Delivery Telemetry)

title: Spring AI MariaDB Filter SQL Injection Attempt
id: raxe-2026-041-sigma-02
status: experimental
description: >
  Detects potential SQL injection in Spring AI vector store filter expressions targeting
  MariaDB backends. CVE-2026-22730 allows arbitrary SQL execution via unsanitised filter
  input in MariaDBFilterExpressionConverter (NVD).
  Classification: Delivery telemetry — standard SQLi detection in vector store context.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-22730
  - https://spring.io/security/cve-2026-22730
author: RAXE Labs
date: 2026-03-22
tags:
  - attack.initial-access
  - cve.2026-22730
  - cwe.89
logsource:
  category: webserver
  product: spring
detection:
  selection_sqli_patterns:
    cs-uri-query|contains:
      - "' OR "
      - "' AND "
      - 'UNION SELECT'
      - 'UNION ALL SELECT'
      - "'; --"
      - "' OR 1=1"
      - "' OR '1'='1"
  selection_filter_context:
    cs-uri|contains:
      - '/search'
      - '/query'
      - '/similarity'
      - '/filter'
  condition: selection_sqli_patterns and selection_filter_context
falsepositives:
  - Automated security scanning tools testing for SQL injection
  - Legitimate query content containing SQL-like syntax
level: medium

Sigma — Filter Expression Converter Error (Hunting Rule)

title: Spring AI Filter Expression Converter Error
id: raxe-2026-041-sigma-03
status: experimental
description: >
  Hunting rule: detects error-level log entries from Spring AI filter expression
  converter classes. Injection attempts that fail to parse cleanly may generate
  exceptions in AbstractFilterExpressionConverter or its subclasses (RAXE assessment).
  Requires application-level logging of Spring AI internals.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-22729
  - https://nvd.nist.gov/vuln/detail/CVE-2026-22730
author: RAXE Labs
date: 2026-03-22
tags:
  - attack.initial-access
  - cve.2026-22729
  - cve.2026-22730
logsource:
  category: application
  product: spring
detection:
  selection_class:
    message|contains:
      - 'FilterExpressionConverter'
      - 'FilterExpressionBuilder'
      - 'MariaDBFilterExpression'
      - 'AbstractFilterExpression'
  selection_error:
    level:
      - ERROR
      - WARN
  condition: selection_class and selection_error
falsepositives:
  - Malformed but benign filter input causing parse errors
  - Application startup or configuration issues with vector store setup
level: medium

YARA — Spring AI Component Presence Detection (Posture/Exposure)

rule RAXE_2026_041_SpringAI_FilterExpressionConverter
{
    meta:
        description = "Detects Spring AI AbstractFilterExpressionConverter and MariaDBFilterExpressionConverter class names in Java artifacts. Posture rule: identifies deployments using the affected components — does NOT distinguish vulnerable from patched versions, as these classes exist in both (RAXE assessment)."
        author = "RAXE Labs"
        date = "2026-03-22"
        reference_cve1 = "CVE-2026-22729"
        reference_cve2 = "CVE-2026-22730"
        severity = "medium"
        classification = "posture"

    strings:
        $class1 = "AbstractFilterExpressionConverter" ascii wide
        $class2 = "MariaDBFilterExpressionConverter" ascii wide
        $class3 = "FilterExpressionBuilder" ascii wide
        $pkg = "org/springframework/ai" ascii
        $jar_magic = { 50 4B 03 04 }

    condition:
        $jar_magic at 0 and $pkg and any of ($class1, $class2, $class3)
}

10. Detection & Mitigation

Detection Guidance

• Web application firewall (WAF): Configure rules to inspect query parameters on vector store endpoints for JSONPath operators (||, &&, $[, $.) and SQL injection patterns (UNION, OR 1=1, '; --) (RAXE assessment)
• Application logging: Enable request parameter logging on vector store query endpoints to capture filter expression content for retrospective analysis (RAXE assessment)
• Error monitoring: Monitor Spring AI application logs for exceptions from FilterExpressionConverter classes, which may indicate injection attempts (RAXE assessment)
• Cross-tenant access auditing: If the application logs tenant context alongside query results, audit for queries returning documents outside the requesting user's tenant scope (RAXE assessment)

Mitigation

1. Patch — Upgrade to Spring AI 1.0.4 (for 1.0.x users) or 1.1.3 (for 1.1.x users), which fix both CVE-2026-22729 and CVE-2026-22730 (GHSA-rp9g-qx29-88cp, GHSA-c267-rfvc-mvpm).
2. Input validation — Apply allowlist-based validation to filter expression fields and operators before passing to FilterExpressionBuilder. Reject input containing JSONPath or SQL metacharacters (RAXE assessment).
3. Restrict filter capabilities — Where possible, limit user-facing filter expressions to predefined field names and comparison operators rather than accepting arbitrary expressions (RAXE assessment).
4. Network segmentation — Restrict direct database access from the application tier to limit the impact of SQL injection (RAXE assessment).

11. Indicators of Compromise

All indicators above are behavioural and classified as hunting-grade — they are not confirmed IOCs and may match legitimate application behaviour (RAXE assessment).

12. Strategic Context

These vulnerabilities highlight an emerging pattern in AI infrastructure security: injection attacks targeting the data retrieval layer of RAG (Retrieval-Augmented Generation) systems (RAXE assessment). As organisations adopt vector stores with metadata-based access controls for multi-tenant AI deployments, the filter expression layer becomes a trust boundary — and a high-value target for access control bypass (RAXE assessment).

Spring AI's positioning within the VMware/Broadcom enterprise ecosystem means these vulnerabilities are relevant to Java-based enterprise AI deployments (RAXE assessment). The discovery of injection flaws in both the generic base class (AbstractFilterExpressionConverter) and a specific backend implementation (MariaDBFilterExpressionConverter) suggests that input sanitisation was not systematically applied across the filter expression converter hierarchy (RAXE assessment).

Organisations evaluating or deploying AI frameworks with vector store backends should treat filter expression handling as a security-critical code path requiring the same rigour as traditional SQL query construction (RAXE assessment).

13. References

1. CVE-2026-22729 — NVD entry for JSONPath injection in Spring AI AbstractFilterExpressionConverter
2. CVE-2026-22730 — NVD entry for SQL injection in Spring AI MariaDBFilterExpressionConverter
3. GHSA-rp9g-qx29-88cp — GitHub Security Advisory for CVE-2026-22729 (spring-ai-vector-store)
4. GHSA-c267-rfvc-mvpm — GitHub Security Advisory for CVE-2026-22730 (spring-ai-mariadb-store)
5. Spring Security Advisory CVE-2026-22729 — VMware vendor advisory
6. Spring Security Advisory CVE-2026-22730 — VMware vendor advisory
7. FIRST.org EPSS — CVE-2026-22729 — Exploit Prediction Scoring System
8. FIRST.org EPSS — CVE-2026-22730 — Exploit Prediction Scoring System
9. CISA KEV Catalog — Neither CVE listed as of 2026-03-22
10. NULL200OK/CVE-2026-22730-Scanner — Public scanner/exploit tool for CVE-2026-22730 (SQL injection in MariaDB vector store)