CVE-2026-22729
Published: 18 March 2026
Summary
CVE-2026-22729 is a high-severity Expression Language Injection (CWE-917) vulnerability in Vmware Spring Ai. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation and sanitization of user-controlled inputs to FilterExpressionBuilder, directly preventing JSONPath injection by blocking unescaped special characters like ", ||, and &&.
SI-2 mandates identification, reporting, and correction of the specific flaw in AbstractFilterExpressionConverter, enabling application of Spring-provided patches for proper input escaping.
AC-3 enforces logical access authorizations based on metadata attributes, providing defense-in-depth against injection-based bypasses of multi-tenant and role-based controls.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
JSONPath injection in a network-accessible Spring AI component directly enables exploitation of a public-facing application to bypass metadata filters and access unauthorized data.
NVD Description
A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic…
more
and access unauthorized documents. This vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata. The vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like ", ||, and && are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics.
Deeper analysisAI
CVE-2026-22729 is a JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter. The issue arises when user-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, allowing injection of arbitrary JSONPath logic. Special characters such as ", ||, and && are passed through unescaped, enabling attackers to alter intended query semantics and bypass metadata-based access controls. This affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata.
Authenticated users can exploit the vulnerability by crafting filter expressions with malicious input, injecting JSONPath logic to access unauthorized documents. The attack requires no special privileges beyond authentication, operates over the network with low complexity, and results in high confidentiality impact through scoped access to sensitive data, as reflected in its CVSS v3.1 score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). It is classified under CWE-917 (XML Injection, analogous to expression injection).
The Spring security advisory provides details on mitigation and patches at https://spring.io/security/cve-2026-22729, published on 2026-03-18.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai