CVE-2026-22730: SQL Injection in Spring AI MariaDBFilterExpressionConverter

March 18, 2026

A critical SQL injection vulnerability in Spring AI’s MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands.

The vulnerability exists due to missing input sanitization.

References

github.com/advisories/GHSA-c267-rfvc-mvpm
github.com/spring-projects/spring-ai
github.com/spring-projects/spring-ai/releases/tag/v1.0.4
github.com/spring-projects/spring-ai/releases/tag/v1.1.3
nvd.nist.gov/vuln/detail/CVE-2026-22730
spring.io/security/cve-2026-22730

Code Behaviors & Features

Detect and mitigate CVE-2026-22730 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →