CVE-2026-55405 is a high-severity SQL injection vulnerability in dev.langchain4j:langchain4j-mariadb (maven), affecting versions <= 1.2.0-beta8. It is fixed in 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, 1.16.3-beta26.
Summary The MariaDB and pgvector embedding stores build metadata-filter SQL by string-concatenating filter keys (and, in MariaDB, string values) directly into the query without adequate escaping. A crafted metadata key in EmbeddingSearchRequest.filter() can break out of its SQL context and inject arbitrary SQL into the statements executed by the stores' search and removeAll(Filter) operations. Details pgvector, JSON mode (default, COMBINEDJSON / COMBINEDJSONB). JSONFilterMapper places the key inside a single-quoted SQL literal (the JSON key of the ->> operator) with no escaping: (metadata->>'<key>')::text A key containing a single quote breaks out, e.g. metadataKey("')::text IS NOT NULL OR pgsleep(1) IS NOT NULL --") injects a live pgsleep(1) (observable as a delay; exploitable for blind data extraction). pgvector, column mode (COLUMNPERKEY). ColumnFilterMapper used the key as a bare, unquoted, unvalidated SQL identifier (<key>::<type>), so a key such as 1=1 OR true -- injects directly. MariaDB, JSON mode (default). JSONFilterMapper placed the key inside the JSON path literal '$.<key>' unescaped (same break-out mechanism). Additionally, MariaDbFilterMapper.formatValue() escaped ' but not \; because MariaDB treats backslash as an escape character by default, a string value ending in a backslash could also break out of its literal. MariaDB, column mode (COLUMNPERKEY). ColumnFilterMapper fell back to the raw, unescaped key when the driver could not quote it as an identifier (e.g. a character). The filter key is the runtime injection surface; both stores' search() (including pgvector's HYBRID mode) and removeAll(Filter) are affected. Add/upsert operations a parameterized and not affected. Impact Applications that allow attacker-influenced metadata filter keys (e.g. use LLM-generated filters) to reach these stores are exposed to SQL injection: blind data exfiltration, denial of service via sleep functions, and, through remove deletion of arbitrary rows. Applications using only hard-coded, developer-defined filter keys are not reachable. Patches Fixed in langchain4j-mariadb and langchain4j-pgvector 1.16.3-beta26: JSON filter keys are escaped before being embedded in the SQL string lit quotes doubled, correct for PostgreSQL standardconformingstrings = on; MariaDB: backslash and single quote). MariaDB string values escape both \ and '. Column-mode keys are validated/quoted as identifiers and rejected when u concatenated as raw SQL. Workarounds Do not pass untrusted input as metadata filter keys. Restrict filter keys to a known allow-list at the application layer. References pgvector: JSONFilterMapper, ColumnFilterMapper MariaDB: JSONFilterMapper, MariaDbFilterMapper, ColumnFilterMapper`
Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access. Typical impact: data disclosure or modification.
CVE-2026-55405 has a CVSS score of 7.6 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, 1.16.3-beta26). Upgrading removes the vulnerable code path.
maven
dev.langchain4j:langchain4j-mariadb (<= 1.2.0-beta8)dev.langchain4j:langchain4j-mariadb (>= 1.3.0-beta9, <= 1.5.0-beta11)dev.langchain4j:langchain4j-mariadb (>= 1.6.0-beta12, <= 1.11.7-beta19)dev.langchain4j:langchain4j-mariadb (>= 1.12.1-beta21, <= 1.16.2-beta26)dev.langchain4j:langchain4j-pgvector (<= 1.2.0-beta8)dev.langchain4j:langchain4j-pgvector (>= 1.3.0-beta9, <= 1.5.0-beta11)dev.langchain4j:langchain4j-pgvector (>= 1.6.0-beta12, <= 1.11.7-beta19)dev.langchain4j:langchain4j-pgvector (>= 1.12.1-beta21, <= 1.16.2-beta26)dev.langchain4j:langchain4j-mariadb → 1.2.1-beta8 (maven)dev.langchain4j:langchain4j-mariadb → 1.5.1-beta11 (maven)dev.langchain4j:langchain4j-mariadb → 1.11.8-beta19 (maven)dev.langchain4j:langchain4j-mariadb → 1.16.3-beta26 (maven)dev.langchain4j:langchain4j-pgvector → 1.2.1-beta8 (maven)dev.langchain4j:langchain4j-pgvector → 1.5.1-beta11 (maven)dev.langchain4j:langchain4j-pgvector → 1.11.8-beta19 (maven)dev.langchain4j:langchain4j-pgvector → 1.16.3-beta26 (maven)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-55405 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-55405 is reachable in your applications. Get a demo
Upgrade the following packages to resolve this vulnerability:
dev.langchain4j:langchain4j-mariadb to 1.2.1-beta8 or laterdev.langchain4j:langchain4j-mariadb to 1.5.1-beta11 or laterdev.langchain4j:langchain4j-mariadb to 1.11.8-beta19 or laterdev.langchain4j:langchain4j-mariadb to 1.16.3-beta26 or laterdev.langchain4j:langchain4j-pgvector to 1.2.1-beta8 or laterdev.langchain4j:langchain4j-pgvector to 1.5.1-beta11 or laterdev.langchain4j:langchain4j-pgvector to 1.11.8-beta19 or laterdev.langchain4j:langchain4j-pgvector to 1.16.3-beta26 or laterKodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-55405 is a high-severity SQL injection vulnerability in dev.langchain4j:langchain4j-mariadb (maven), affecting versions <= 1.2.0-beta8. It is fixed in 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, 1.16.3-beta26. Untrusted input alters a database query, allowing the attacker to read or modify data the query was not intended to access.
CVE-2026-55405 has a CVSS score of 7.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
dev.langchain4j:langchain4j-mariadb (maven) (versions <= 1.2.0-beta8)dev.langchain4j:langchain4j-pgvector (maven) (versions <= 1.2.0-beta8)Yes. CVE-2026-55405 is fixed in 1.2.1-beta8, 1.5.1-beta11, 1.11.8-beta19, 1.16.3-beta26. Upgrade to this version or later.
Whether CVE-2026-55405 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
dev.langchain4j:langchain4j-mariadb to 1.2.1-beta8 or laterdev.langchain4j:langchain4j-mariadb to 1.5.1-beta11 or laterdev.langchain4j:langchain4j-mariadb to 1.11.8-beta19 or laterdev.langchain4j:langchain4j-mariadb to 1.16.3-beta26 or laterdev.langchain4j:langchain4j-pgvector to 1.2.1-beta8 or laterdev.langchain4j:langchain4j-pgvector to 1.5.1-beta11 or laterdev.langchain4j:langchain4j-pgvector to 1.11.8-beta19 or laterdev.langchain4j:langchain4j-pgvector to 1.16.3-beta26 or later