CVE-2026-22729 - Vulnerability Analysis
HighCVSS: 8.6Last Updated: March 18, 2026
Spring AI AbstractFilterExpressionConverter - Broken Access Control
Overview
Spring AI AbstractFilterExpressionConverter contains a JSONPath injection caused by unescaped user input concatenated into JSONPath queries, letting authenticated users bypass metadata-based access controls via crafted filter expressions.
Severity & Score
Impact
Authenticated attackers can bypass access controls to access unauthorized documents by injecting arbitrary JSONPath logic.
Mitigation
Update to the latest version with proper escaping of user input in JSONPath queries.
Social Media Activity(2 posts)
🔒 HIGH: CVE-2026-22729 in VMware Spring AI (1.0.x, 1.1.x) enables JSONPath injection, letting authenticated users bypass access controls and access sensitive docs. Patch or sanitize input! https://radar.offseq.com/threat/cve-2026-22729-vulnerability-in-vmware-spring-ai-96356f4f #OffSeq #SpringAI #CVE202622729 #AppSec
View original post
🔒 HIGH: CVE-2026-22729 in VMware Spring AI (1.0.x, 1.1.x) enables JSONPath injection, letting authenticated users bypass access controls and access sensitive docs. Patch or sanitize input! https://radar.offseq.com/threat/cve-2026-22729-vulnerability-in-vmware-spring-ai-96356f4f #OffSeq #SpringAI #CVE202622729 #AppSec
View original postRelated Resources
Details
- CVE ID
- CVE-2026-22729
- Severity
- High
- CVSS Score
- 8.6
- Type
- nosql_injection
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N