al-ice.ai

Spring AI — FilterExpressionConverter Injection Flaws (CVE-2026-22729, CVE-2026-22730)

AI CVEs by al-ice.ai Editorial

Spring AI published two March 2026 advisories in filter-expression conversion code paths used for metadata filtering, with one issue enabling JSONPath logic injection and another enabling SQL injection in MariaDB-specific conversion.

  • CVE-2026-22729 affects vector-store filtering paths that extend AbstractFilterExpressionConverter, where unescaped user input can alter JSONPath semantics.
  • The JSONPath issue can let authenticated users bypass metadata-based document isolation controls, including tenant or role filters built on metadata selectors.
  • CVE-2026-22730 targets MariaDBFilterExpressionConverter, with missing sanitization that can lead to SQL injection and policy bypass in metadata queries.
  • Both flaws are dangerous in AI retrieval pipelines because metadata filters are frequently treated as a hard authorization boundary in RAG stacks.
  • Spring links both CVEs to patched release lines 1.0.4 and 1.1.3, indicating remediation is available in maintained branches.
  • Even when primary app auth is intact, these issues can enable cross-tenant data exposure if filter expressions are built from user-controlled fields.
  • This is a recurring AI infra pattern: “semantic search access control” implemented inside query builders without strict expression escaping.

Why it matters

In agentic and RAG systems, metadata filtering often doubles as authorization. If expression conversion is injectable, attackers do not need model jailbreaks to reach sensitive content—they can abuse query syntax itself. That turns retrieval infrastructure into an implicit privilege-escalation path across teams, tenants, or document classes.

What to do

  • Patch now: upgrade Spring AI components to fixed releases referenced by Spring security advisories.
  • Assume filter input is hostile: prohibit raw user-controlled expression fragments in metadata query construction.
  • Re-validate tenant boundaries: run cross-tenant retrieval tests (positive and negative) after upgrades.
  • Add detection: alert on unusual JSONPath operators and high-entropy filter payloads in retrieval logs.
  • Compartmentalize data stores: reduce blast radius with per-tenant indexes/schemas where practical.

Sources