CVE-2026-22744 is a vulnerability identified in the RedisFilterExpressionConverter component of the spring-ai-redis-store module within Spring AI versions 1.0.0 to before 1.0.5 and 1.1.0 to before 1.1.4. The root cause is the improper handling of user-supplied strings used as filter values for TAG fields in RediSearch queries. Specifically, the stringValue() method inserts these values directly into the @field:{VALUE} RediSearch TAG block without escaping special characters. This lack of sanitization allows an attacker to craft malicious input that can manipulate the RediSearch query syntax, potentially enabling injection attacks. Such injections could allow unauthorized access to sensitive data by bypassing intended query filters, thereby compromising confidentiality. The vulnerability does not affect data integrity or availability, and exploitation does not require authentication or user interaction, making it remotely exploitable over the network. Although no known exploits have been reported in the wild, the vulnerability's presence in widely used Spring AI versions combined with Redis and RediSearch integration poses a significant risk. The CVSS v3.1 base score of 7.5 reflects these factors, highlighting the need for prompt remediation. The vulnerability was reserved in January 2026 and published in March 2026, with no official patches linked yet, indicating that users should monitor vendor advisories closely.

The primary impact of CVE-2026-22744 is the potential unauthorized disclosure of sensitive information stored or queried via RediSearch in Spring AI applications. Attackers can exploit the injection flaw to bypass query filters and retrieve data that should be restricted, leading to confidentiality breaches. This can affect organizations relying on Spring AI for AI-driven data processing and Redis as a backend, including sectors handling sensitive or regulated data such as finance, healthcare, and government. While the vulnerability does not affect data integrity or system availability, the exposure of confidential data can result in compliance violations, reputational damage, and financial losses. The ease of remote exploitation without authentication increases the threat landscape, especially for internet-facing services or poorly segmented internal networks. Organizations with automated AI workflows using Spring AI and Redis are particularly vulnerable, as attackers could leverage this flaw to extract data at scale. The absence of known exploits currently provides a window for proactive mitigation before active attacks emerge.

To mitigate CVE-2026-22744, organizations should first monitor Spring AI vendor communications for official patches and apply updates to versions 1.0.5 or later and 1.1.4 or later as soon as they become available. In the interim, developers should implement input validation and sanitization on all user-supplied strings used in RediSearch TAG filters to ensure special characters are properly escaped or rejected. Employing a whitelist approach for allowed characters in filter values can reduce injection risks. Additionally, restricting network access to Redis and Spring AI services to trusted internal hosts and enforcing strict authentication and authorization controls can limit exposure. Logging and monitoring query patterns for anomalous or malformed filter inputs can help detect exploitation attempts early. Where feasible, consider isolating AI and Redis components in segmented network zones with minimal exposure. Finally, conduct security code reviews and penetration testing focused on RediSearch query construction to identify and remediate similar injection vectors.