CVE-2026-40966 MEDIUM

CVE-2026-40966: VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration

Vendor Vmware

Product Spring AI

Weakness CWE-284

Published April 28, 2026

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

5.9/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.

Key dates

02Disclosure timeline

April 28, 2026 CVE published

April 28, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-40966 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/284.html

Related vulnerabilities

Identifiers

CVE CVE-2026-40966

CWE CWE-284

CVSS 5.9 / MEDIUM

Affected versions

Vendor Vmware

Product Spring AI

Affected ≥ 1.0.0 and < 1.0.6

Vendor Vmware

Product Spring AI

Affected ≥ 1.1.0 and < 1.1.5

CVE-2026-40966: VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration

01Description

02Disclosure timeline

03References

04Related CVE