Description
A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents.

This vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata.

The vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like ", ||, and && are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics.
Published: 2026-03-18
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Metadata access bypass via JSONPath injection
Action: Immediate Patch
AI Analysis

Impact

A high‑severity JSONPath injection flaw in VMware Spring AI’s AbstractFilterExpressionConverter lets authenticated users insert arbitrary JSONPath logic into filter expressions. Because user‑controlled values are concatenated into the query string without proper escaping, an attacker can alter the intended query semantics and bypass metadata‑based access controls, thereby retrieving documents they should not be able to view. The vulnerability is a classic example of CWE‑917: Improper Handling of Encoded Data.

Affected Systems

Any application that implements the Spring AI vector store and extends the AbstractFilterExpressionConverter is susceptible. This includes multi‑tenant deployments, role‑based access control rules, and any custom document filtering that relies on metadata. No specific version numbers are provided in the advisory, so all current releases prior to a vendor patch are potentially impacted.

Risk and Exploitability

The CVSS score of 8.6 indicates that the flaw can have a serious impact on confidentiality, integrity, and availability. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in CISA’s KEV catalog. However, because it requires the attacker to have authenticated access that includes permission to craft filter expressions, the attack vector is essentially in‑application. If an attacker obtains such access, the risk escalates to full unauthorized data disclosure.

Generated by OpenCVE AI on April 2, 2026 at 03:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Consult VMware Spring AI’s security advisories and apply any available patch or update that fixes JSONPath escaping.
  • If an update is not yet available, review the filter expression handling code to escape or validate user input before concatenation.
  • Disable or restrict advanced filter features that allow arbitrary JSONPath expressions until a fix is deployed.
  • Monitor authentication and filter‑expression activity for signs of abuse.
  • Implement a least‑privilege model so that only trusted users can construct complex filter expressions.

Generated by OpenCVE AI on April 2, 2026 at 03:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rp9g-qx29-88cp JSONPath Injection in Spring AI Vector Stores FilterExpressionConverter
References
Link Providers
https://spring.io/security/cve-2026-22729 cve-icon cve-icon
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Vmware spring Ai
CPEs cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*
Vendors & Products Vmware spring Ai

Wed, 18 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-917

Wed, 18 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring
Vendors & Products Vmware
Vmware spring

Wed, 18 Mar 2026 08:00:00 +0000

Type Values Removed Values Added
Description A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents. This vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata. The vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like ", ||, and && are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics.
Title CVE-2026-22729: JSONPath Injection in Spring AI Vector Stores FilterExpressionConverter
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Vmware Spring Spring Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-03-18T15:35:10.685Z

Reserved: 2026-01-09T06:54:41.497Z

Link: CVE-2026-22729

cve-icon Vulnrichment

Updated: 2026-03-18T14:50:24.509Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T08:16:31.000

Modified: 2026-04-01T16:53:35.810

Link: CVE-2026-22729

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T08:00:03Z

Weaknesses