CVE-2026-22729 - Vulnerability Analysis
HighCVSS: 8.6Last Updated: March 18, 2026
Spring AI AbstractFilterExpressionConverter - Broken Access Control
Published: March 18, 2026Updated: March 18, 2026Remote Exploitable
Overview
Spring AI AbstractFilterExpressionConverter contains a JSONPath injection caused by unescaped user input concatenated into JSONPath queries, letting authenticated users bypass metadata-based access controls via crafted filter expressions.
Severity & Score
Severity: High
CVSS Score: 8.6
EPSS Score: 5.1%(Probability of exploitation in next 30 days)
Impact
Authenticated attackers can bypass access controls to access unauthorized documents by injecting arbitrary JSONPath logic.
Mitigation
Update to the latest version with proper escaping of user input in JSONPath queries.
Social Media Activity(1 post)
/r/netsec
@_r_netsec
CVE-2026-22729: JSONPath Injection in Spring AI’s PgVectorStore https://blog.securelayer7.net/cve-2026-22729-jsonpath-injection-spring-ai-pgvectorstore/
View original postRelated Resources
Details
- CVE ID
- CVE-2026-22729
- Severity
- High
- CVSS Score
- 8.6
- Type
- nosql_injection
- Status
- unconfirmed
- EPSS
- 5.1%
- Social Posts
- 1
CWE
- CWE-917
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score
5.1%Probability of exploitation in the next 30 days