CVE-2026-40966: Spring AI's VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration

April 28, 2026 (updated May 6, 2026)

In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.

References

github.com/advisories/GHSA-v6x6-pjxw-3pv2
github.com/spring-projects/spring-ai
nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd.nist.gov/vuln/detail/CVE-2026-40966
spring.io/security/cve-2026-40966

Code Behaviors & Features

Detect and mitigate CVE-2026-40966 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →