CVE-2026-22744
published 2026-03-27CVE-2026-22744: In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field, stringValue() inserts…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.25%
16.2th percentile
In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field, stringValue() inserts the value directly into the @field:{VALUE} RediSearch TAG block without escaping characters.This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| spring | spring_ai | >= 1.0.0 < 1.0.5 | 1.0.5 |
| spring | spring_ai | >= 1.1.0 < 1.1.4 | 1.1.4 |
| vmware | spring_ai | >= 1.0.0 < 1.0.5 | 1.0.5 |
| vmware | spring_ai | >= 1.1.0 < 1.1.4 | 1.1.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Spring AI Redis Store has TAG Field Query Injection Through Improper Neutralization of Special Characters
ghsa·2026-03-27
CVE-2026-22744 [HIGH] CWE-74 Spring AI Redis Store has TAG Field Query Injection Through Improper Neutralization of Special Characters
Spring AI Redis Store has TAG Field Query Injection Through Improper Neutralization of Special Characters
In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field, stringValue() inserts the value directly into the @field:{VALUE} RediSearch TAG block without escaping characters. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
OSV
Spring AI Redis Store has TAG Field Query Injection Through Improper Neutralization of Special Characters
osv·2026-03-27
CVE-2026-22744 [HIGH] Spring AI Redis Store has TAG Field Query Injection Through Improper Neutralization of Special Characters
Spring AI Redis Store has TAG Field Query Injection Through Improper Neutralization of Special Characters
In RedisFilterExpressionConverter of spring-ai-redis-store, when a user-controlled string is passed as a filter value for a TAG field, stringValue() inserts the value directly into the @field:{VALUE} RediSearch TAG block without escaping characters. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
No detection rules found.
No public exploits indexed.
2026-03-27
Published