langchain4j-mariadb Vulnerability Allows SQL Injection

Threat: Vulnerability

Targeted Region: Global

Targeted Sector: Technology & IT

Criticality: High

[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-55405, with a CVSS score of 7.6, is a SQL injection vulnerability affecting the LangChain4j embedding stores for MariaDB and pgvector. The flaw occurs because filter keys supplied to EmbeddingSearchRequest.filter() are incorporated into SQL statements without proper escaping, allowing specially crafted input to inject arbitrary SQL commands. An attacker who can influence metadata filter keys—such as through user-generated content or LLM-produced filters—may execute malicious database queries, perform blind timing attacks, delete records, or manipulate stored data. Successful exploitation could lead to data exfiltration, denial-of-service conditions, or unauthorized modification and deletion of embeddings. The vulnerability is particularly dangerous in applications that pass untrusted input directly to affected APIs, as exploitation requires only network access and the ability to provide a malicious filter key.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

RECOMMENDATION:

We recommend you to update dev.langchain4j:langchain4j-mariadb and dev.langchain4j:langchain4j-pgvector to below version:
https://github.com/advisories/GHSA-2mfg-cc43-9pcj

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-2mfg-cc43-9pcj

[/emaillocker]

Recent Advisories

Implement NCSC Guidance Against China-Nexus Botnets

June 19, 2026

Jupyter Server Vulnerability Enables XSS Attacks

June 19, 2026

Astro Vulnerability Enables Host Header SSRF

June 19, 2026

Strimzi Vulnerability Enables Cross‐Namespace Privilege Escalation

June 19, 2026

langchain4j-mariadb Vulnerability Allows SQL Injection

Recent Advisories

Report an Incident