The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-22744

CVE-2026-22744: Spring AI Redis Store XSS Vulnerability

CVE-2026-22744 is a cross-site scripting flaw in Spring AI Redis Store that occurs when user input is unsafely inserted into RediSearch TAG blocks. This article covers technical details, affected versions, and mitigation.

Published: April 3, 2026

CVE-2026-22744 Overview

A query injection vulnerability exists in the RedisFilterExpressionConverter component of Spring AI's Redis Store module. When a user-controlled string is passed as a filter value for a TAG field, the stringValue() method inserts the value directly into the @field:{VALUE} RediSearch TAG block without properly escaping special characters. This allows attackers to manipulate RediSearch queries and potentially access unauthorized data.

Critical Impact

Attackers can exploit this vulnerability to bypass intended query restrictions and extract sensitive information from Redis vector stores by injecting malicious filter expressions.

Affected Products

  • Spring AI versions 1.0.0 through 1.0.4
  • Spring AI versions 1.1.0 through 1.1.3
  • Applications using spring-ai-redis-store with user-controlled filter inputs

Discovery Timeline

  • 2026-03-27 - CVE CVE-2026-22744 published to NVD
  • 2026-03-30 - Last updated in NVD database

Technical Details for CVE-2026-22744

Vulnerability Analysis

This vulnerability represents a classic query injection flaw in the Spring AI framework's Redis integration layer. The RedisFilterExpressionConverter class is responsible for converting filter expressions into RediSearch query syntax. The vulnerable stringValue() method fails to sanitize or escape special characters that have semantic meaning in RediSearch's TAG field syntax.

RediSearch TAG fields use curly braces {} to delimit values in queries. When user input containing special characters such as |, }, {, or escape sequences is passed directly into the query template without encoding, attackers can break out of the intended value context and inject arbitrary query predicates.

The network-accessible nature of this vulnerability means that any application exposing Spring AI's vector store search functionality to external users is potentially at risk. Since no privileges are required to exploit this flaw, unauthenticated attackers can attempt injection attacks against vulnerable endpoints.

Root Cause

The root cause is improper input validation and missing output encoding in the stringValue() method of RedisFilterExpressionConverter. The method constructs RediSearch TAG queries using string concatenation without escaping characters that have special meaning in the RediSearch query language. This violates the security principle of treating all user input as untrusted and properly encoding output based on the context where it will be used.

Attack Vector

The attack vector is network-based, requiring an attacker to send crafted filter values through application endpoints that utilize Spring AI's Redis vector store search functionality. An attacker would identify an endpoint that accepts filter parameters for vector similarity searches and then craft malicious input containing RediSearch query syntax to escape the TAG field boundary and inject additional query conditions.

This could allow the attacker to modify the query logic to return records they shouldn't have access to, bypass application-level access controls implemented through filter expressions, or enumerate data across different TAG field values. The attack requires no authentication and can be performed with low complexity, making it accessible to a wide range of threat actors.

Detection Methods for CVE-2026-22744

Indicators of Compromise

  • Unusual characters in application logs for Redis filter parameters, including pipe characters (|), curly braces ({}), or backslashes
  • Unexpected query patterns in Redis slow logs or query monitoring showing malformed TAG expressions
  • Application errors related to RediSearch query parsing failures
  • Anomalous data access patterns where users retrieve records outside their normal scope

Detection Strategies

  • Implement input validation logging to capture and alert on filter values containing RediSearch special characters
  • Deploy application-level WAF rules to detect query injection patterns in request parameters targeting vector search endpoints
  • Enable Redis command auditing to monitor for suspicious FT.SEARCH commands with unusual syntax patterns
  • Establish baseline metrics for vector store query behavior to identify deviation patterns

Monitoring Recommendations

  • Configure alerting for RediSearch query errors that may indicate injection attempts
  • Monitor application endpoints accepting filter parameters for unusual request volumes or patterns
  • Implement logging correlation between web application requests and Redis commands to trace malicious activity
  • Review Spring AI debug logs for filter expression conversion anomalies

How to Mitigate CVE-2026-22744

Immediate Actions Required

  • Upgrade Spring AI to version 1.0.5 or later for the 1.0.x branch
  • Upgrade Spring AI to version 1.1.4 or later for the 1.1.x branch
  • Audit all code paths where user input flows into Redis vector store filter expressions
  • Implement application-level input validation for filter parameters as defense-in-depth

Patch Information

VMware has released patched versions of Spring AI that properly escape special characters in TAG field values. The fix is available in Spring AI 1.0.5 and 1.1.4. Organizations should prioritize upgrading to these versions. For detailed information about the security fix, refer to the Spring Security Advisory CVE-2026-22744.

Workarounds

  • Implement strict input validation at the application layer to reject filter values containing RediSearch special characters such as |, {, }, and \
  • Use allowlist validation for filter field values where possible, accepting only expected patterns
  • Deploy a reverse proxy or WAF rule to sanitize incoming requests before they reach the application
  • Consider temporarily disabling user-controlled filtering for Redis vector stores until the patch can be applied

The recommended approach is to validate filter inputs at the application boundary before passing them to Spring AI:

java
// Input validation example for filter values
public String sanitizeFilterValue(String input) {
    // Reject inputs containing RediSearch special characters
    if (input != null && input.matches(".*[|{}\\\\].*")) {
        throw new IllegalArgumentException("Invalid filter value");
    }
    return input;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeXSS
  • Vendor/TechSpring Ai
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.04%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • Spring Security Advisory CVE-2026-22744
  • Related CVEs
  • CVE-2026-22738: Spring AI SpEL Injection RCE Vulnerability
  • CVE-2026-22743: Spring AI Neo4j Cypher Injection Vulnerability
  • CVE-2026-22742: Spring AI Bedrock Converse SSRF Vulnerability
  • CVE-2026-22730: Spring AI MariaDB SQLi Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English