Spring AI's VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration

GHSA-v6x6-pjxw-3pv2 · CVE-2026-40966

Published Apr 28, 2026 · Modified May 6, 2026

Description

In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-40966
PACKAGE https://github.com/spring-projects/spring-ai
WEB https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
WEB https://spring.io/security/cve-2026-40966

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes