AI Threat Alert

CVE-2026-55405

GHSA-2mfg-cc43-9pcj HIGH
Published June 17, 2026

### Summary The MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating filter **keys** (and, in MariaDB, string **values**) directly into the query without adequate escaping. A crafted metadata key in `EmbeddingSearchRequest.filter()` can break out of its SQL...

Full CISO analysis pending enrichment.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LangChain maven <= 1.2.0-beta8 1.2.1-beta8
139.2K OpenSSF 6.4 2.7K dependents Pushed 4d ago 24% patched ~156d to patch Full package profile →
pgvector maven <= 1.2.0-beta8 1.2.1-beta8
1.5K 312 dependents Pushed 7d ago 100% patched ~0d to patch Full package profile →

How severe is it?

CVSS 3.1
7.6 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I Low
A Low

What should I do?

Patch available

Update LangChain to version 1.2.1-beta8

Update pgvector to version 1.2.1-beta8

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-55405?

### Summary The MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating filter **keys** (and, in MariaDB, string **values**) directly into the query without adequate escaping. A crafted metadata key in `EmbeddingSearchRequest.filter()` can break out of its SQL context and inject arbitrary SQL into the statements executed by the stores' search and `removeAll(Filter)` operations. ### Details **pgvector — JSON mode (default, `COMBINED_JSON` / `COMBINED_JSONB`).** `JSONFilterMapper` places the key inside a single-quoted SQL literal (the JSON key of the `->>` operator) with no escaping: (metadata->>'<key>')::text A key containing a single quote breaks out, e.g. `metadataKey("')::text IS NOT NULL OR pg_sleep(1) IS NOT NULL --")` injects a live `pg_sleep(1)` (observable as a delay; exploitable for blind data extraction). **pgvector — column mode (`COLUMN_PER_KEY`).** `ColumnFilterMapper` used the key as a bare, unquoted, unvalidated SQL identifier (`<key>::<type>`), so a key such as `1=1 OR true --` injects directly. **MariaDB — JSON mode (default).** `JSONFilterMapper` placed the key inside the JSON path literal `'$.<key>'` unescaped (same break-out mechanism). Additionally, `MariaDbFilterMapper.formatValue()` escaped `'` but not `\`; because MariaDB treats backslash as an escape character by default, a string value ending in a backslash could also break out of its literal. **MariaDB — column mode (`COLUMN_PER_KEY`).** `ColumnFilterMapper` fell back to the raw, unescaped key when the driver could not quote it as an identifier (e.g. a character). The filter key is the runtime injection surface; both stores' `search()` (including pgvector's HYBRID mode) and `removeAll(Filter)` are affected. Add/upsert operations a parameterized and not affected. ### Impact Applications that allow attacker-influenced metadata filter keys (e.g. use LLM-generated filters) to reach these stores are exposed to SQL injection: blind data exfiltration, denial of service via sleep functions, and — through `remove deletion of arbitrary rows. Applications using only hard-coded, developer-defined filter keys are not reachable. ### Patches Fixed in `langchain4j-mariadb` and `langchain4j-pgvector` 1.16.3-beta26: - JSON filter keys are escaped before being embedded in the SQL string lit quotes doubled, correct for PostgreSQL `standard_conforming_strings = on`; MariaDB: backslash and single quote). - MariaDB string values escape both `\` and `'`. - Column-mode keys are validated/quoted as identifiers and rejected when u concatenated as raw SQL. ### Workarounds - Do not pass untrusted input as metadata filter keys. - Restrict filter keys to a known allow-list at the application layer. ### References - pgvector: `JSONFilterMapper`, `ColumnFilterMapper` - MariaDB: `JSONFilterMapper`, `MariaDbFilterMapper`, `ColumnFilterMapper`

Is CVE-2026-55405 actively exploited?

No confirmed active exploitation of CVE-2026-55405 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-55405?

Update to patched version: LangChain 1.2.1-beta8, pgvector 1.2.1-beta8.

What is the CVSS score for CVE-2026-55405?

CVE-2026-55405 has a CVSS v3.1 base score of 7.6 (HIGH).

What are the technical details?

Original Advisory

### Summary The MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating filter **keys** (and, in MariaDB, string **values**) directly into the query without adequate escaping. A crafted metadata key in `EmbeddingSearchRequest.filter()` can break out of its SQL context and inject arbitrary SQL into the statements executed by the stores' search and `removeAll(Filter)` operations. ### Details **pgvector — JSON mode (default, `COMBINED_JSON` / `COMBINED_JSONB`).** `JSONFilterMapper` places the key inside a single-quoted SQL literal (the JSON key of the `->>` operator) with no escaping: (metadata->>'<key>')::text A key containing a single quote breaks out, e.g. `metadataKey("')::text IS NOT NULL OR pg_sleep(1) IS NOT NULL --")` injects a live `pg_sleep(1)` (observable as a delay; exploitable for blind data extraction). **pgvector — column mode (`COLUMN_PER_KEY`).** `ColumnFilterMapper` used the key as a bare, unquoted, unvalidated SQL identifier (`<key>::<type>`), so a key such as `1=1 OR true --` injects directly. **MariaDB — JSON mode (default).** `JSONFilterMapper` placed the key inside the JSON path literal `'$.<key>'` unescaped (same break-out mechanism). Additionally, `MariaDbFilterMapper.formatValue()` escaped `'` but not `\`; because MariaDB treats backslash as an escape character by default, a string value ending in a backslash could also break out of its literal. **MariaDB — column mode (`COLUMN_PER_KEY`).** `ColumnFilterMapper` fell back to the raw, unescaped key when the driver could not quote it as an identifier (e.g. a character). The filter key is the runtime injection surface; both stores' `search()` (including pgvector's HYBRID mode) and `removeAll(Filter)` are affected. Add/upsert operations a parameterized and not affected. ### Impact Applications that allow attacker-influenced metadata filter keys (e.g. use LLM-generated filters) to reach these stores are exposed to SQL injection: blind data exfiltration, denial of service via sleep functions, and — through `remove deletion of arbitrary rows. Applications using only hard-coded, developer-defined filter keys are not reachable. ### Patches Fixed in `langchain4j-mariadb` and `langchain4j-pgvector` 1.16.3-beta26: - JSON filter keys are escaped before being embedded in the SQL string lit quotes doubled, correct for PostgreSQL `standard_conforming_strings = on`; MariaDB: backslash and single quote). - MariaDB string values escape both `\` and `'`. - Column-mode keys are validated/quoted as identifiers and rejected when u concatenated as raw SQL. ### Workarounds - Do not pass untrusted input as metadata filter keys. - Restrict filter keys to a known allow-list at the application layer. ### References - pgvector: `JSONFilterMapper`, `ColumnFilterMapper` - MariaDB: `JSONFilterMapper`, `MariaDbFilterMapper`, `ColumnFilterMapper`

Weaknesses (CWE)

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Primary

CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
  • [Architecture and Design] If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

References

Timeline

Published
June 17, 2026
Last Modified
June 17, 2026
First Seen
June 17, 2026

Related Vulnerabilities

MEDIUM CVE-2026-48148

Budibase: SSRF via VectorDB host exposes cloud metadata

Same package: pgvector
Back to Threat Feed