Spring AI JSONPath Injection Bypass (CVE-2026-22729)

Vendor-confirmed - CVE-2026-22729 is a high data breach risk in Spring AI that lets authenticated users bypass search filters to access unauthorized documents from other tenants or users. Apply the official patch immediately.

Overview

A significant security vulnerability, identified as CVE-2026-22729, has been discovered in the Spring AI framework. This flaw is a JSONPath injection vulnerability within the AbstractFilterExpressionConverter component. In simple terms, it allows users who are already logged into an application to manipulate search filters in a way that can bypass security controls, potentially accessing documents or data they are not authorized to see.

Vulnerability Details

The vulnerability exists when applications use Spring AI’s vector store features for document filtering-common in scenarios like multi-tenant data isolation or role-based access control. The system builds JSONPath queries (a language for querying JSON data) using user input from filter expressions. However, this input is not properly sanitized.

Special characters like quotes ("), and logical operators (||, &&) are not escaped. This allows an attacker to craft malicious filter expressions that “inject” new logic into the final query. Instead of just filtering by allowed criteria, the altered query can ignore intended restrictions, returning unauthorized results.

Impact

The impact of this vulnerability is high. Successful exploitation can lead to a serious data breach, where authenticated users can access sensitive documents belonging to other tenants, other users, or from restricted categories. This directly undermines core application security models built on metadata filtering. For context on the risks of data exposure, recent incidents are detailed in our breach reports.

The severity is rated as HIGH with a CVSS score of 8.6, primarily due to the high impact on confidentiality and the low attack complexity for an authenticated attacker.

Remediation and Mitigation

The primary remediation is to apply the official patch released by the Spring AI maintainers. If you are using a vulnerable version, update to the patched version immediately.

Immediate Actions:

1. Patch: Upgrade your Spring AI dependency to the version that addresses CVE-2026-22729. Consult the official Spring Security advisory for the specific version number.
2. Validate Input: If an immediate patch is not possible, implement strict input validation on all user-supplied values used in FilterExpressionBuilder. Reject any input containing unexpected special characters.
3. Review Access Logs: Monitor query logs for anomalous or unusually complex filter expressions, which might indicate attempted exploitation.

Developers should treat user input for JSONPath queries with the same caution as SQL queries, ensuring proper escaping or the use of parameterized builders if available. For the latest updates on vulnerabilities like this, follow our security news section.

This flaw highlights the importance of rigorous input validation in all data query layers. Applying the patch promptly is crucial to maintaining the security integrity of applications using Spring AI for document retrieval and filtering.