CVE-2026-22743
Published: 27 March 2026
Summary
CVE-2026-22743 is a high-severity SQL Injection (CWE-89) vulnerability in Vmware Spring Ai. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the vulnerable Spring AI neo4j-store versions to remediate the Cypher injection flaw in Neo4jVectorFilterExpressionConverter.
Mandates validation and sanitization of user-controlled filter expression keys to prevent embedding of malicious backticks and arbitrary Cypher queries.
Enables identification of the specific vulnerable Spring AI versions through vulnerability scanning, facilitating proactive flaw remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing app (T1190) via Cypher injection enabling unauthorized database data access (T1213.006).
NVD Description
Spring AI's spring-ai-neo4j-store contains a Cypher injection vulnerability in Neo4jVectorFilterExpressionConverter. When a user-controlled string is passed as a filter expression key in Neo4jVectorFilterExpressionConverter of spring-ai-neo4j-store, doKey() embeds the key into a backtick-delimited Cypher property accessor (node.`metadata.`) after stripping only double…
more
quotes, without escaping embedded backticks.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
Deeper analysisAI
CVE-2026-22743 is a Cypher injection vulnerability in the Neo4jVectorFilterExpressionConverter of Spring AI's spring-ai-neo4j-store module. The vulnerability arises when a user-controlled string is passed as a filter expression key; the doKey() method embeds this key into a backtick-delimited Cypher property accessor in the form node.`metadata.<key>`, stripping only double quotes without escaping embedded backticks. This flaw affects Spring AI versions from 1.0.0 before 1.0.5 and from 1.1.0 before 1.1.4.
An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity and no user interaction required, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By supplying a malicious filter expression key containing crafted backticks, the attacker can inject arbitrary Cypher queries, resulting in high-impact confidentiality loss through unauthorized access to sensitive data in the Neo4j database.
The official Spring security advisory at https://spring.io/security/cve-2026-22743 details mitigation steps, recommending upgrades to patched versions: Spring AI 1.0.5 or later for the 1.0.x series, and 1.1.4 or later for the 1.1.x series. This issue is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, ai, ai, ai