Spring Product Security Update Advisory

overview

We have released security updates that address vulnerabilities in Spring products. users of affected products are encouraged to update to the latest version.

affected products

Cve-2026-22729, cve-2026-22730

Spring AI version: 1.0.x
Spring AI version: 1.1.x

resolved vulnerabilities

JSONPath injection vulnerability in FilterExpressionConverter in Spring AI Vector Stores (CVE-2026-22729)
SQL injection vulnerability in Spring AI MariaDBFilterExpressionConverter (CVE-2026-22730)

vulnerability patches

Vulnerability patches have been made available in the latest update. please follow the instructions on the reference site to update to the latest version of the vulnerability patch.

Cve-2026-22729, cve-2026-22730

Spring AI version: 1.0.4
Spring AI version: 1.1.3

references

[1] CVE-2026-22729: JSONPath Injection in Spring AI Vector Stores FilterExpressionConverter
https://spring.io/security/cve-2026-22729
[2] CVE-2026-22730: SQL Injection in Spring AI MariaDBFilterExpressionConverter
https://spring.io/security/cve-2026-22730