CVE-2026-40966
Memory Exfiltration via Injection in Spring AI VectorStoreChatMemoryAdvisor
Publication date: 2026-04-28
Last updated on: 2026-04-29
Assigner: VMware
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vmware | spring_ai | From 1.0.0 (inc) to 1.0.6 (exc) |
| vmware | spring_ai | From 1.1.0 (inc) to 1.1.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40966 is a moderate severity vulnerability in Spring AI that affects the VectorStoreChatMemoryAdvisor component. The vulnerability occurs when an application uses VectorStoreChatMemoryAdvisor and accepts user-supplied input as the conversationId parameter.
An attacker can inject filter logic through the conversationId, which allows them to bypass conversation isolation controls. This means the attacker can access and exfiltrate sensitive memory from other users' chat histories, including secrets and credentials.
Only applications that pass user input directly as conversationId to VectorStoreChatMemoryAdvisor are affected.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive information stored in chat histories of other users. Specifically, an attacker can exfiltrate secrets and credentials from these chat memories.
Because the attacker can bypass conversation isolation without needing privileges or user interaction, this can result in a significant confidentiality breach.
However, the vulnerability does not impact data integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your application uses the VectorStoreChatMemoryAdvisor component and whether it passes user-supplied input directly as the conversationId parameter.
Since the vulnerability arises from injection through the conversationId parameter, monitoring or logging unusual or suspicious conversationId values that contain filter logic or injection patterns could help detect exploitation attempts.
No specific commands or network detection signatures are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade the affected Spring AI versions to the fixed releases.
- Upgrade to version 1.0.6 if you are using the 1.0.x branch.
- Upgrade to version 1.1.5 if you are using the 1.1.x branch.
No additional mitigation steps are required beyond upgrading.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to bypass conversation isolation and exfiltrate sensitive memory from other users' chat histories, including secrets and credentials.
Such unauthorized access and exposure of sensitive personal or confidential information could potentially lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over the confidentiality and security of personal and sensitive data.
However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.