SQL Injection in Spring AI MariaDBFilterExpressionConverter
High severity
GitHub Reviewed
Published
Mar 18, 2026
to the GitHub Advisory Database
•
Updated Mar 18, 2026
Package
Affected versions
>= 1.1.0-M1, < 1.1.3
< 1.0.4
Patched versions
1.1.3
1.0.4
Description
Published by the National Vulnerability Database
Mar 18, 2026
Published to the GitHub Advisory Database
Mar 18, 2026
Reviewed
Mar 18, 2026
Last updated
Mar 18, 2026
A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands.
The vulnerability exists due to missing input sanitization.
References