Skip to content

CVE-2026-22730 SQL Injection in Spring AI’s MariaDB Vector S... #2029

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CVE-2026-22730 SQL Injection in Spring AI’s MariaDB Vector S... #2029

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions src/pentesting-web/sql-injection/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -652,6 +652,33 @@ Mitigations:
- Never concatenate identifiers from user input. Map allowed column names to a fixed allow-list and quote identifiers properly.
- If dynamic table access is required, restrict to a finite set and resolve server-side from a safe mapping.


### SQLi via AST/filter-to-SQL converters (JSON_VALUE predicates)

Some frameworks **convert structured filter ASTs into raw SQL boolean fragments** (e.g., metadata filters or JSON predicates) and then **string-concatenate** those fragments into larger queries. If the converter **wraps string values as `'%s'` without escaping**, a single quote in user input terminates the literal and the rest is parsed as SQL.

Example pattern (conceptual):

```sql
JSON_VALUE(metadata, '$.department') = '<user_value>'
```

Payload (URL-encoded): `%27%20OR%20%271%27%3D%271` → decoded: `' OR '1'='1` → predicate becomes:

```sql
JSON_VALUE(metadata, '$.department') = '' OR '1'='1'
```

Impact:
- **Authorization bypass**: always-true predicates return cross-tenant/department rows.
- **Destructive writes**: if the same fragment is reused in `DELETE/UPDATE ... WHERE <predicate>`, it can wipe data.
- **RAG-specific risk**: leaked rows may only surface indirectly inside LLM answers, making detection harder.

Hunting tips:
- Look for classes that **serialize filter/AST nodes to SQL** and append them into queries via `String.format`, `+`, or templating.
- Verify string emitters **escape single quotes and backslashes**; parameter binding only works for scalar values, not entire boolean expressions.
- Prefer builders that keep **predicates parameterized** (values as bind params) and never inline user-controlled literals.

### WAF bypass suggester tools


Expand All @@ -674,5 +701,6 @@ https://github.com/carlospolop/Auto_Wordlists/blob/main/wordlists/sqli.txt
## References

- [https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/](https://blog.sicuranext.com/vtenext-25-02-a-three-way-path-to-rce/)
- [https://blog.securelayer7.net/cve-2026-22730-sql-injection-spring-ai-mariadb/](https://blog.securelayer7.net/cve-2026-22730-sql-injection-spring-ai-mariadb/)

{{#include ../../banners/hacktricks-training.md}}