Back to CVE List

CVE-2026-40966

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score
5.9 / 10
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Vulnerability Description

In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-284
Source
NVD
Vendor
VMware
Product
Spring AI

External References

Discussion (0)

Add Comment

No comments yet. Be the first!