CVE-2026-22730

A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands. The vulnerability exists due to missing input sanitization.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://spring.io/security/cve-2026-22730	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vmware:spring_ai::::::::
	cpe:2.3:a:vmware:spring_ai::::::::

History

01 Apr 2026, 16:52

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad crítica de inyección SQL en el MariaDBFilterExpressionConverter de Spring AI permite a los atacantes eludir los controles de acceso basados en metadatos y ejecutar comandos SQL arbitrarios. La vulnerabilidad existe debido a la falta de saneamiento de entrada.
References	~~() https://spring.io/security/cve-2026-22730 -~~	() https://spring.io/security/cve-2026-22730 - Vendor Advisory
First Time		Vmware Vmware spring Ai
CPE		cpe:2.3:a:vmware:spring_ai::::::::

18 Mar 2026, 16:16

Type	Values Removed	Values Added
CWE		CWE-89

18 Mar 2026, 08:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-18 08:16

Updated : 2026-04-01 16:52

NVD link : CVE-2026-22730

Mitre link : CVE-2026-22730

CVE.ORG link : CVE-2026-22730

JSON object : View

Products Affected

vmware

spring_ai

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

8.8 /10