{"api_version":"1","generated_at":"2026-04-28T12:17:18+00:00","cve":"CVE-2026-40966","urls":{"html":"https://cve.report/CVE-2026-40966","api":"https://cve.report/api/cve/CVE-2026-40966.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-40966","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-40966"},"summary":{"title":"VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration","description":"In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.","state":"PUBLISHED","assigner":"vmware","published_at":"2026-04-28 08:16:01","updated_at":"2026-04-28 08:16:01"},"problem_types":["CWE-284","CWE-284 CWE-284 Improper Access Control"],"metrics":[{"version":"3.1","source":"security@vmware.com","type":"Secondary","score":"5.9","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"5.9","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","name":"https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","refsource":"security@vmware.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://spring.io/security/cve-2026-40966","name":"https://spring.io/security/cve-2026-40966","refsource":"security@vmware.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-40966","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40966","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"VMware","product":"Spring AI","version":"affected 1.0.0 1.0.6 OSS","platforms":[]},{"source":"CNA","vendor":"VMware","product":"Spring AI","version":"affected 1.1.0 1.1.5 oss","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Jinyeong Seol Seol-JY; Cantina's AppSec agent, Apex ( https://www.cantina.security )","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Spring AI","vendor":"VMware","versions":[{"lessThan":"1.0.6","status":"affected","version":"1.0.0","versionType":"OSS"},{"lessThan":"1.1.5","status":"affected","version":"1.1.0","versionType":"oss"}]}],"credits":[{"lang":"en","type":"finder","value":"Jinyeong Seol Seol-JY; Cantina's AppSec agent, Apex ( https://www.cantina.security )"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.</p>"}],"value":"In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-284","description":"CWE-284 Improper Access Control","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-28T06:49:32.025Z","orgId":"dcf2e128-44bd-42ed-91e8-88f912c1401d","shortName":"vmware"},"references":[{"url":"https://spring.io/security/cve-2026-40966"},{"url":"https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"source":{"discovery":"UNKNOWN"},"title":"VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration","x_generator":{"engine":"Vulnogram 1.0.1"}}},"cveMetadata":{"assignerOrgId":"dcf2e128-44bd-42ed-91e8-88f912c1401d","assignerShortName":"vmware","cveId":"CVE-2026-40966","datePublished":"2026-04-28T06:42:36.619Z","dateReserved":"2026-04-16T02:18:56.133Z","dateUpdated":"2026-04-28T06:49:32.025Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-28 08:16:01","lastModifiedDate":"2026-04-28 08:16:01","problem_types":["CWE-284","CWE-284 CWE-284 Improper Access Control"],"metrics":{"cvssMetricV31":[{"source":"security@vmware.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"40966","Ordinal":"1","Title":"VectorStoreChatMemoryAdvisor conversation scoping can lead to cr","CVE":"CVE-2026-40966","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"40966","Ordinal":"1","NoteData":"In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.","Type":"Description","Title":"VectorStoreChatMemoryAdvisor conversation scoping can lead to cr"}]}}}