Cyber Resilience

CVE-2026-22729

HighRCE

Published: 18 March 2026

Published
18 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0052 40.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22729 is a high-severity Expression Language Injection (CWE-917) vulnerability in Vmware Spring Ai. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the Data-Related Vulnerabilities risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22729 is a JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter. The issue arises when user-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, allowing injection of arbitrary JSONPath logic. Special characters such as ", ||, and && are passed through unescaped, enabling attackers to alter intended query semantics and bypass metadata-based access controls. This affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata.

Authenticated users can exploit the vulnerability by crafting filter expressions with malicious input, injecting JSONPath logic to access unauthorized documents. The attack requires no special privileges beyond authentication, operates over the network with low complexity, and results in high confidentiality impact through scoped access to sensitive data, as reflected in its CVSS v3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). It is classified under CWE-917 (XML Injection, analogous to expression injection).

The Spring security advisory provides details on mitigation and patches at https://spring.io/security/cve-2026-22729, published on 2026-03-18.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic…

more

and access unauthorized documents. This vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata. The vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like ", ||, and && are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
Data-Related Vulnerabilities
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

JSONPath injection in a network-accessible Spring AI component directly enables exploitation of a public-facing application to bypass metadata filters and access unauthorized data.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41705Same product: Vmware Spring Ai
CVE-2026-22738Same product: Vmware Spring Ai
CVE-2026-22744Same product: Vmware Spring Ai
CVE-2026-40967Same product: Vmware Spring Ai
CVE-2026-22730Same product: Vmware Spring Ai
CVE-2026-22743Same product: Vmware Spring Ai
CVE-2026-40978Same product: Vmware Spring Ai
CVE-2026-22742Same product: Vmware Spring Ai
CVE-2026-41712Same product: Vmware Spring Ai
CVE-2026-41713Same product: Vmware Spring Ai

Affected Assets

vmware
spring ai
1.0.0 — 1.0.4 · 1.1.0 — 1.1.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation and sanitization of user-controlled inputs to FilterExpressionBuilder, directly preventing JSONPath injection by blocking unescaped special characters like ", ||, and &&.

prevent

SI-2 mandates identification, reporting, and correction of the specific flaw in AbstractFilterExpressionConverter, enabling application of Spring-provided patches for proper input escaping.

prevent

AC-3 enforces logical access authorizations based on metadata attributes, providing defense-in-depth against injection-based bypasses of multi-tenant and role-based controls.

References