CVE-2026-22743 Overview
CVE-2026-22743 is a Cypher injection vulnerability in Spring AI's spring-ai-neo4j-store module. The flaw resides in the Neo4jVectorFilterExpressionConverter class, where the doKey() method embeds user-controlled filter expression keys into a backtick-delimited Cypher property accessor. The method strips only double quotes and fails to escape embedded backticks, allowing attackers to break out of the property accessor context. The vulnerability is tracked under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). Affected versions include Spring AI 1.0.0 before 1.0.5 and 1.1.0 before 1.1.4.
Critical Impact
Attackers can inject arbitrary Cypher fragments into Neo4j queries, leading to unauthorized disclosure of vector store data and metadata.
Affected Products
- Spring AI spring-ai-neo4j-store 1.0.0 through 1.0.4
- Spring AI spring-ai-neo4j-store 1.1.0 through 1.1.3
- Applications using Neo4jVectorFilterExpressionConverter with user-supplied filter keys
Discovery Timeline
- 2026-03-27 - CVE-2026-22743 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-22743
Vulnerability Analysis
The vulnerability stems from incomplete input sanitization in the doKey() method of Neo4jVectorFilterExpressionConverter. Spring AI's Neo4j vector store integration builds Cypher queries from filter expressions supplied to vector similarity searches. When constructing the property accessor portion of a query, doKey() wraps the user-supplied key in backticks to form syntax like node.\metadata.userKey``.
The converter only removes double quote characters from the input. It does not escape or reject backtick characters embedded within the key. An attacker can supply a key containing backticks to terminate the property accessor early and append arbitrary Cypher clauses to the query.
This class of flaw is functionally equivalent to SQL injection but targets the Cypher graph query language used by Neo4j. The injection executes in the context of the application's Neo4j connection, inheriting whatever database privileges that connection holds.
Root Cause
The root cause is improper neutralization of the backtick delimiter character in doKey(). Backticks delimit identifiers in Cypher, and any user-controlled value placed inside a backtick-quoted identifier must have embedded backticks escaped or rejected. The current implementation strips only double quotes, leaving the backtick boundary trivially bypassable.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction when the filter key is reachable from an unauthenticated API surface. An attacker submits a crafted filter expression to a Spring AI endpoint that forwards metadata filter keys to the Neo4j vector store. The malicious key contains backtick characters followed by additional Cypher syntax, which the converter assembles into the final query without further sanitization. The resulting query executes attacker-controlled Cypher against the Neo4j database.
No verified public proof-of-concept code is available. Refer to the Spring Security Advisory CVE-2026-22743 for vendor technical details.
Detection Methods for CVE-2026-22743
Indicators of Compromise
- Neo4j query logs containing unexpected backtick sequences or appended Cypher clauses such as MATCH, RETURN, or CALL within property accessor positions
- Application logs showing filter expression keys with embedded backtick (`) characters
- Unusual outbound data volumes from services backed by spring-ai-neo4j-store
Detection Strategies
- Enable Neo4j query logging and alert on parsed queries where identifier sections contain user-derived data with control characters
- Inspect HTTP request bodies sent to vector search endpoints for backtick characters inside filter key fields
- Audit dependency manifests (pom.xml, build.gradle) for vulnerable spring-ai-neo4j-store versions
Monitoring Recommendations
- Monitor Neo4j database access logs for anomalous query patterns, including unexpected node labels, relationships, or CALL invocations
- Track authentication failures and query errors originating from the Spring AI service account
- Forward Spring AI application logs and Neo4j audit logs to a centralized SIEM for correlation
How to Mitigate CVE-2026-22743
Immediate Actions Required
- Upgrade spring-ai-neo4j-store to version 1.0.5 if running the 1.0.x branch
- Upgrade spring-ai-neo4j-store to version 1.1.4 if running the 1.1.x branch
- Audit application code for any path that allows untrusted input to flow into Spring AI filter expression keys
- Restrict Neo4j account privileges used by the application to the minimum required for vector operations
Patch Information
VMware has released fixed versions in the Spring AI 1.0.5 and 1.1.4 releases. Both versions correct the doKey() method in Neo4jVectorFilterExpressionConverter to properly handle backtick characters. See the Spring Security Advisory CVE-2026-22743 for complete patch details and release notes.
Workarounds
- Validate and reject any filter expression keys containing backtick characters before they reach Neo4jVectorFilterExpressionConverter
- Apply allowlist validation on metadata key names, restricting them to alphanumeric and underscore characters
- Place a request validation layer in front of vector search endpoints to filter control characters from user input
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
