Spring Security Advisories

RSS feed

CVE-2026-22730: SQL Injection in Spring AI MariaDBFilterExpressionConverter

HIGH | MARCH 17, 2026 | CVE-2026-22730

Description

A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands.

The vulnerability exists due to missing input sanitization.

Affected Spring Products and Versions

Spring AI:

  • 1.0.0 - 1.0.x
  • 1.1.0 - 1.1.x

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.

Affected version(s) Fix version Availability
1.0.x 1.0.4 OSS
1.1.x 1.1.3 OSS

No further mitigation steps are necessary.

Credit

This issue was responsibly reported by the Blackf0g team from SecureLayer7.

References

History

Reporting a vulnerability

To report a security vulnerability for a project within the Spring portfolio, see the Security Policy

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all