CVE-2026-40966
Received Received - Intake
Memory Exfiltration via Injection in Spring AI VectorStoreChatMemoryAdvisor

Publication date: 2026-04-28

Last updated on: 2026-04-29

Assigner: VMware

Description
In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40966
EUVD
EUVD-2026-26002
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vmware spring_ai From 1.0.0 (inc) to 1.0.6 (exc)
vmware spring_ai From 1.1.0 (inc) to 1.1.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40966 is a moderate severity vulnerability in Spring AI that affects the VectorStoreChatMemoryAdvisor component. The vulnerability occurs when an application uses VectorStoreChatMemoryAdvisor and accepts user-supplied input as the conversationId parameter.

An attacker can inject filter logic through the conversationId, which allows them to bypass conversation isolation controls. This means the attacker can access and exfiltrate sensitive memory from other users' chat histories, including secrets and credentials.

Only applications that pass user input directly as conversationId to VectorStoreChatMemoryAdvisor are affected.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive information stored in chat histories of other users. Specifically, an attacker can exfiltrate secrets and credentials from these chat memories.

Because the attacker can bypass conversation isolation without needing privileges or user interaction, this can result in a significant confidentiality breach.

However, the vulnerability does not impact data integrity or availability.

Detection Guidance

Detection of this vulnerability involves identifying if your application uses the VectorStoreChatMemoryAdvisor component and whether it passes user-supplied input directly as the conversationId parameter.

Since the vulnerability arises from injection through the conversationId parameter, monitoring or logging unusual or suspicious conversationId values that contain filter logic or injection patterns could help detect exploitation attempts.

No specific commands or network detection signatures are provided in the available resources.

Mitigation Strategies

The primary and immediate mitigation step is to upgrade the affected Spring AI versions to the fixed releases.

  • Upgrade to version 1.0.6 if you are using the 1.0.x branch.
  • Upgrade to version 1.1.5 if you are using the 1.1.x branch.

No additional mitigation steps are required beyond upgrading.

Compliance Impact

This vulnerability allows an attacker to bypass conversation isolation and exfiltrate sensitive memory from other users' chat histories, including secrets and credentials.

Such unauthorized access and exposure of sensitive personal or confidential information could potentially lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which mandate strict controls over the confidentiality and security of personal and sensitive data.

However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40966. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart