GHSA-2mfg-cc43-9pcjHighCVSS 7.6

LangChain4j: SQL injection via metadata filters in langchain4j-mariadb and langchain4j-pgvector

Published
June 17, 2026
Last Modified
June 17, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

The MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating filter keys (and, in MariaDB, string values) directly into the query without adequate escaping. A crafted metadata key in EmbeddingSearchRequest.filter() can break out of its SQL context and inject arbitrary SQL into the statements executed by the stores' search and removeAll(Filter) operations.

Details

pgvector — JSON mode (default, COMBINED_JSON / COMBINED_JSONB). JSONFilterMapper places the key inside a single-quoted SQL literal (the JSON key of the ->> operator) with no escaping:

(metadata->>'<key>')::text

A key containing a single quote breaks out, e.g. metadataKey("')::text IS NOT NULL OR pg_sleep(1) IS NOT NULL --") injects a live pg_sleep(1) (observable as a delay; exploitable for blind data extraction).

pgvector — column mode (COLUMN_PER_KEY). ColumnFilterMapper used the key as a bare, unquoted, unvalidated SQL identifier (<key>::<type>), so a key such as 1=1 OR true -- injects directly.

MariaDB — JSON mode (default). JSONFilterMapper placed the key inside the JSON path literal '$.<key>' unescaped (same break-out mechanism). Additionally, MariaDbFilterMapper.formatValue() escaped ' but not \; because MariaDB treats backslash as an escape character by default, a string value ending in a backslash could also break out of its literal.

MariaDB — column mode (COLUMN_PER_KEY). ColumnFilterMapper fell back to the raw, unescaped key when the driver could not quote it as an identifier (e.g. a character).

The filter key is the runtime injection surface; both stores' search() (including pgvector's HYBRID mode) and removeAll(Filter) are affected. Add/upsert operations a parameterized and not affected.

Impact

Applications that allow attacker-influenced metadata filter keys (e.g. use LLM-generated filters) to reach these stores are exposed to SQL injection: blind data exfiltration, denial of service via sleep functions, and — through `remove deletion of arbitrary rows. Applications using only hard-coded, developer-defined filter keys are not reachable.

Patches

Fixed in langchain4j-mariadb and langchain4j-pgvector 1.16.3-beta26:

  • JSON filter keys are escaped before being embedded in the SQL string lit quotes doubled, correct for PostgreSQL standard_conforming_strings = on; MariaDB: backslash and single quote).
  • MariaDB string values escape both \ and '.
  • Column-mode keys are validated/quoted as identifiers and rejected when u concatenated as raw SQL.

Workarounds

  • Do not pass untrusted input as metadata filter keys.
  • Restrict filter keys to a known allow-list at the application layer.

References

  • pgvector: JSONFilterMapper, ColumnFilterMapper
  • MariaDB: JSONFilterMapper, MariaDbFilterMapper, ColumnFilterMapper

🎯 Affected products8

  • maven/dev.langchain4j:langchain4j-mariadb:<= 1.2.0-beta8
  • maven/dev.langchain4j:langchain4j-mariadb:>= 1.3.0-beta9, <= 1.5.0-beta11
  • maven/dev.langchain4j:langchain4j-mariadb:>= 1.6.0-beta12, <= 1.11.7-beta19
  • maven/dev.langchain4j:langchain4j-mariadb:>= 1.12.1-beta21, <= 1.16.2-beta26
  • maven/dev.langchain4j:langchain4j-pgvector:<= 1.2.0-beta8
  • maven/dev.langchain4j:langchain4j-pgvector:>= 1.3.0-beta9, <= 1.5.0-beta11
  • maven/dev.langchain4j:langchain4j-pgvector:>= 1.6.0-beta12, <= 1.11.7-beta19
  • maven/dev.langchain4j:langchain4j-pgvector:>= 1.12.1-beta21, <= 1.16.2-beta26

🔗 References (2)