Plattform
java
Komponente
org.springframework.ai:spring-ai-neo4j-store
Behoben in
1.0.5
1.1.4
1.0.5
CVE-2026-22743 describes a Cypher injection vulnerability in Spring AI's spring-ai-neo4j-store component. The vulnerability exists in the Neo4jVectorFilterExpressionConverter class, where a user-controlled string passed as a filter expression key is embedded into a Cypher property accessor without proper escaping. This allows an attacker to inject malicious Cypher code, potentially compromising the Neo4j database. The vulnerability affects versions up to 1.0.4 and also versions before 1.1.4.
The impact of CVE-2026-22743 is significant due to the potential for unauthorized access and modification of data within the Neo4j database. An attacker can inject malicious Cypher code through the filter expression key, bypassing security controls and gaining control over database operations. This could lead to data breaches, data corruption, and even complete database compromise. The vulnerability highlights the importance of proper input validation and output encoding when interacting with databases. This vulnerability shares similarities with other Cypher injection vulnerabilities, emphasizing the need for secure coding practices.
CVE-2026-22743 has a CVSS score of 7.5 (HIGH). It is not currently listed on KEV or EPSS. Public proof-of-concept (POC) code is not yet available. The vulnerability was published on 2026-03-27. Given the potential for database compromise, it is crucial to monitor for emerging exploitation attempts.
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2026-22743 is to upgrade to Spring AI version 1.0.5 or later. This version includes a fix that properly escapes embedded backticks in the Cypher property accessor. As a temporary workaround, restrict user input to trusted sources and implement strict input validation to prevent the injection of malicious characters. Consider using parameterized queries or prepared statements to further mitigate the risk of Cypher injection. After upgrading, confirm the fix by testing the application with various filter expression inputs, including those containing backticks.
Actualice la dependencia spring-ai-neo4j-store a la versión 1.0.5 o superior si está utilizando la rama 1.0.x, o a la versión 1.1.4 o superior si está utilizando la rama 1.1.x. Esto corrige la vulnerabilidad de inyección Cypher. Verifique las notas de la versión para obtener detalles adicionales sobre la actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-22743 is a Cypher injection vulnerability in Spring AI's spring-ai-neo4j-store component that allows attackers to inject malicious Cypher code into Neo4j queries.
You are affected if you are using Spring AI versions 1.0.0 through 1.0.4, or 1.1.0 through 1.1.3.
Upgrade Spring AI to version 1.0.5 or later for Spring AI 1.x, or to version 1.1.4 or later for Spring AI 1.1.x.
Currently, there are no public exploitation reports or proof-of-concept code available for this vulnerability.
Refer to the National Vulnerability Database (NVD) entry at [https://nvd.nist.gov/vuln/detail/CVE-2026-22743](https://nvd.nist.gov/vuln/detail/CVE-2026-22743) for more information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.