Back to overview

CVE-2026-55405

HIGH
7.6
CVSS 3.1
Description
LangChain4j is a Java library for building LLM-powered applications on the JVM. Prior to 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, and 1.16.3-beta26, the MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating filter keys, and in MariaDB string values, directly into the query without adequate escaping. A crafted metadata key in EmbeddingSearchRequest.filter() can break out of its SQL context and inject arbitrary SQL into the statements executed by the stores' search and removeAll(Filter) operations, enabling blind data exfiltration, denial of service via sleep functions, and deletion of arbitrary rows through removeAll(Filter). This issue is fixed in langchain4j-mariadb and langchain4j-pgvector versions 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, and 1.16.3-beta26.

Metadata

CVE ID
CVE-2026-55405
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-16 21:48 UTC
Published
2026-07-10 20:33 UTC
Last updated
2026-07-10 20:33 UTC
Primary CWE
CWE-89
CWE-89: Improper Neutralization of Special Elements used in …
Vendor / Product
langchain4j / langchain4j
Sources
cve.org  ·  NVD

Severity & Metrics

7.6 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Affected products (1)
VendorProductPlatformVersions
langchain4j langchain4j < 1.2.1-beta8, >= 1.3.0-beta9, < 1.5.1-beta11, >= 1.6.0-beta12, < 1.11.8-beta19, >= 1.12.1-beta21, < 1.16.3-beta26
Weakness (CWE)
CWESourceDescription
CWE-89 cna CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.6 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
References (7)
Back to overview