CVE-2026-22729 in Spring AI
Summary
by MITRE • 03/18/2026
A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents.
This vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata.
The vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like ", ||, and && are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/30/2026
The vulnerability identified as CVE-2026-22729 represents a critical JSONPath injection flaw within Spring AI's AbstractFilterExpressionConverter component that fundamentally undermines access control mechanisms in applications utilizing vector storage systems. This weakness arises from insufficient input validation and sanitization processes that permit authenticated users to manipulate filter expressions through crafted JSONPath queries. The vulnerability specifically targets applications implementing multi-tenant isolation, role-based access control, or document filtering based on metadata attributes, making it particularly dangerous in environments where data segregation and access privileges are paramount. The flaw enables attackers to bypass security controls by injecting malicious JSONPath syntax that alters the intended query behavior, potentially granting unauthorized access to sensitive documents or data that should be restricted to specific user roles or tenants.
The technical implementation of this vulnerability stems from the improper handling of user-controlled input within the FilterExpressionBuilder component, which concatenates raw user-supplied values directly into JSONPath queries without adequate escaping mechanisms. When developers pass user-provided filter parameters into the system, special characters including double quotes, logical OR operators, and logical AND operators are not properly escaped or sanitized before being incorporated into the JSONPath expressions. This lack of input sanitization creates an injection vector where attackers can manipulate the query structure by introducing additional JSONPath operators or functions that alter the intended filtering logic. The vulnerability is particularly insidious because it operates at the metadata level where access control decisions are made, allowing attackers to craft expressions that either bypass existing filters entirely or modify them to include unauthorized data access paths.
The operational impact of this vulnerability extends beyond simple unauthorized data access, potentially enabling attackers to perform sophisticated data exfiltration operations through the manipulation of JSONPath queries. In multi-tenant environments, this could allow users to access documents belonging to other tenants, effectively breaking the isolation boundaries that protect sensitive data. The vulnerability's exploitation capability is further amplified in role-based access control systems where attackers could manipulate filter expressions to bypass role restrictions and access data that should be limited to specific user groups. Additionally, in applications that rely on vector stores for document filtering, this vulnerability could enable attackers to retrieve information from documents that contain metadata values they should not be able to access, fundamentally compromising the integrity of the access control framework.
Mitigation strategies for CVE-2026-22729 should focus on implementing comprehensive input validation and sanitization measures within the AbstractFilterExpressionConverter and FilterExpressionBuilder components. Organizations should ensure that all user-supplied values are properly escaped or encoded before being incorporated into JSONPath queries, particularly targeting special characters that could enable injection attacks. The implementation of a dedicated JSONPath escaping mechanism that prevents the interpretation of user input as query operators is essential. Security measures should also include the enforcement of least privilege principles for filter expression processing, limiting the scope of what user inputs can affect within the query structure. Additionally, organizations should consider implementing automated input validation checks and regular security testing of filter expression handling components to detect potential injection vectors. The vulnerability aligns with CWE-77 and CWE-94 categories related to command and script injection, while also mapping to ATT&CK techniques involving privilege escalation and data access manipulation through input validation bypass methods.