CVE-2026-22743

@@ -16,6 +16,8 @@
 
 package org.springframework.ai.vectorstore.neo4j.filter;
 
+import org.neo4j.cypherdsl.support.schema_name.SchemaNames;
+
 import org.springframework.ai.vectorstore.filter.Filter;
 import org.springframework.ai.vectorstore.filter.Filter.Expression;
 import org.springframework.ai.vectorstore.filter.Filter.Group;
@@ -76,7 +78,11 @@ protected void doNot(Expression expression, StringBuilder context) {
 
 	@Override
 	protected void doKey(Key key, StringBuilder context) {
-		context.append("node.").append("`metadata.").append(key.key().replace("\"", "")).append("`");
+		String sanitized = SchemaNames.sanitize("metadata." + key.key(), true)
+			.orElseThrow(() -> new IllegalArgumentException(
+					"Invalid or empty metadata key cannot be used in a Neo4j filter expression: '%s'"
+						.formatted(key.key())));
+		context.append("node.").append(sanitized);
 	}
 
 	@Override

@@ -126,7 +126,7 @@ public void testDecimal() {
 	@Test
 	public void testComplexIdentifiers() {
 		String vectorExpr = this.converter
-			.convertExpression(new Expression(EQ, new Key("\"country 1 2 3\""), new Value("BG")));
+			.convertExpression(new Expression(EQ, new Key("country 1 2 3"), new Value("BG")));
 		assertThat(vectorExpr).isEqualTo("node.`metadata.country 1 2 3` = \"BG\"");
 	}
 
@@ -139,6 +139,13 @@ public void testComplexIdentifiers2() {
 			.isEqualTo("node.`metadata.author` IN [\"john\",\"jill\"] AND node.`metadata.article_type` = \"blog\"");
 	}
 
+	@Test
+	public void testComplexIdentifiers3() {
+		String vectorExpr = this.converter
+			.convertExpression(new Expression(EQ, new Key("\"country 1 2 3\""), new Value("BG")));
+		assertThat(vectorExpr).isEqualTo("node.`metadata.\"country 1 2 3\"` = \"BG\"");
+	}
+
 	@Test
 	public void testEmptyList() {
 		// category IN []
@@ -250,4 +257,25 @@ public void testNegativeNumbers() {
 		assertThat(vectorExpr).isEqualTo("node.`metadata.valueA` <= -5 AND node.`metadata.valueB` >= -10");
 	}
 
+	@Test
+	public void testKeyWithBacktick() {
+		String vectorExpr = this.converter
+			.convertExpression(new Expression(EQ, new Key("a` IS NOT NULL WITH node, score //"), new Value("v")));
+		assertThat(vectorExpr).isEqualTo("node.`metadata.a`` IS NOT NULL WITH node, score //` = \"v\"");
+	}
+
+	@Test
+	public void testKeyFromTextParser() {
+		Expression expr = new FilterExpressionTextParser().parse("\"safe_key\" == 'value'");
+		String vectorExpr = this.converter.convertExpression(expr);
+		assertThat(vectorExpr).isEqualTo("node.`metadata.safe_key` = \"value\"");
+	}
+
+	@Test
+	public void testKeyWithControlCharacters() {
+		String vectorExpr = this.converter
+			.convertExpression(new Expression(EQ, new Key("key\nwith\nnewline"), new Value("v")));
+		assertThat(vectorExpr).isEqualTo("node.`metadata.key\nwith\nnewline` = \"v\"");
+	}
+
 }