CVE-2026-22743 identifies a Cypher injection vulnerability in the spring-ai-neo4j-store module of Spring AI, specifically within the Neo4jVectorFilterExpressionConverter class. The vulnerability occurs when a user-supplied string is passed as a filter expression key and embedded into a Cypher query property accessor using backticks (node.`metadata.`). The implementation strips only double quotes but fails to escape embedded backticks, allowing an attacker to inject arbitrary Cypher code. This can manipulate the query logic executed against the Neo4j graph database, potentially exposing sensitive information or bypassing intended access controls. The affected versions include Spring AI 1.0.0 up to but not including 1.0.5 and 1.1.0 up to but not including 1.1.4. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk profile. Although no public exploits have been reported yet, the CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects high confidentiality impact with low attack complexity. The issue was reserved in January 2026 and published in March 2026. No official patches or advisories are linked yet, but upgrading to fixed versions or applying input sanitization is critical. This vulnerability highlights the importance of proper input validation and escaping in query construction to prevent injection attacks in graph databases.

The primary impact of CVE-2026-22743 is unauthorized disclosure of sensitive data stored in Neo4j databases used by Spring AI applications. By exploiting the Cypher injection flaw, attackers can craft malicious queries that bypass intended filters or access controls, potentially exposing confidential metadata or other protected information. Since the vulnerability does not affect integrity or availability directly, attackers cannot modify or delete data or cause denial of service through this flaw alone. However, the confidentiality breach can lead to significant business risks including intellectual property theft, privacy violations, and regulatory non-compliance. The ease of remote exploitation without authentication or user interaction increases the likelihood of attacks, especially in exposed environments. Organizations relying on Spring AI with Neo4j integration in sectors such as finance, healthcare, and technology may face reputational damage and financial losses if exploited. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits may emerge. Overall, the vulnerability poses a high risk to confidentiality and requires urgent remediation to protect sensitive graph data.

1. Upgrade affected Spring AI versions to 1.0.5 or later and 1.1.4 or later once official patches are released to ensure the vulnerability is fixed. 2. Until patches are available, implement strict input validation on all user-controlled filter expression keys to reject or sanitize any backticks or other special characters that could be used for injection. 3. Modify the Neo4jVectorFilterExpressionConverter code to properly escape backticks within filter keys before embedding them into Cypher queries, preventing injection. 4. Employ Web Application Firewalls (WAFs) or database query firewalls that can detect and block suspicious Cypher query patterns indicative of injection attempts. 5. Conduct thorough code reviews and security testing focusing on query construction and input handling in all components interacting with Neo4j. 6. Monitor application and database logs for unusual query patterns or access anomalies that may indicate exploitation attempts. 7. Limit network exposure of Neo4j instances and restrict access to trusted users and services only. 8. Educate developers on secure coding practices related to graph database queries and injection prevention. These targeted measures go beyond generic advice by focusing on the specific injection vector and the affected component.