CVE-2026-22729 is a JSONPath injection vulnerability found in VMware Spring AI's AbstractFilterExpressionConverter component, specifically affecting versions 1.0.x and 1.1.x. The vulnerability arises because user-supplied input used in filter expressions is concatenated directly into JSONPath queries without proper escaping or sanitization. This improper handling allows authenticated attackers to inject arbitrary JSONPath operators and logic, such as ",", "||", and "&&", which can manipulate the query semantics. The consequence is a bypass of metadata-based access controls implemented via these filter expressions, enabling unauthorized access to documents that should be restricted based on tenant isolation, roles, or metadata filters. The vulnerability is particularly relevant in environments using vector stores that extend AbstractFilterExpressionConverter for multi-tenant or role-based document filtering. The CVSS 3.1 score of 8.6 reflects a high-severity issue with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change that impacts confidentiality but not integrity or availability. Although no public exploits are currently known, the nature of the vulnerability makes it a significant risk for data confidentiality breaches in affected deployments.

The primary impact of CVE-2026-22729 is unauthorized disclosure of sensitive documents due to bypassed metadata-based access controls. Organizations relying on Spring AI's AbstractFilterExpressionConverter for multi-tenant isolation or role-based filtering may have their data segregation controls circumvented, leading to potential data leaks across tenants or roles. This can result in exposure of confidential business information, personally identifiable information (PII), or intellectual property. Since the vulnerability does not affect data integrity or availability, the main concern is confidentiality compromise. The ease of exploitation (no privileges or user interaction required) and network accessibility increase the risk of widespread exploitation once an exploit is developed. This threat is especially critical for organizations using Spring AI in regulated industries or handling sensitive data, as unauthorized access could lead to compliance violations, reputational damage, and financial loss.

To mitigate CVE-2026-22729, organizations should immediately upgrade to patched versions of VMware Spring AI once available. In the absence of patches, developers should implement strict input validation and sanitization for all user-supplied filter expressions, ensuring that special characters such as ",", "||", and "&&" are properly escaped or disallowed. Employing a whitelist approach for allowed JSONPath syntax or using parameterized query mechanisms can prevent injection. Additionally, enforcing strong authentication and monitoring access logs for anomalous filter expression patterns can help detect exploitation attempts. Segmentation and least privilege principles should be applied to limit the impact of any potential breach. Finally, conducting security code reviews and penetration testing focused on JSONPath query construction can identify similar injection risks proactively.