Description
In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.
Published: 2026-04-28
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: Data exfiltration
Action: Apply Patch
AI Analysis

Impact

VectorStoreChatMemoryAdvisor in VMware Spring AI allows an attacker to inject malicious filter logic through the conversationId parameter, bypassing conversation isolation and extracting chat history, including secrets and credentials, from other users. This flaw is an example of improper access control, enabling cross‑tenant data leakage without authentication.

Affected Systems

The vulnerability affects systems that deploy VMware Spring AI with the VectorStoreChatMemoryAdvisor component and accept user‑provided conversation identifiers. No specific version numbers are listed; any application that relies on this advisor to scope chat memories is potentially impacted.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, and the absence of an EPSS rating does not provide an estimated exploitation probability. The vulnerability is not currently catalogued in CISA’s KEV list. Based on the description, the likely attack vector is via a network‑based API where an attacker supplies a crafted conversationId to manipulate the filter logic. Successful exploitation could lead to unauthorized disclosure of sensitive user data.

Generated by OpenCVE AI on April 28, 2026 at 12:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest VMware Spring AI patch or update to a version where the VectorStoreChatMemoryAdvisor enforces proper isolation of conversation data.
  • Sanitize and validate all user‑supplied conversationId values to prevent injection of filter expressions that could bypass tenant boundaries.
  • Enforce strict access controls so that only authenticated, authorized users can access chat histories for their own tenant, limiting the scope of data the advisor can retrieve.

Generated by OpenCVE AI on April 28, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Vmware
Vmware spring Ai
Vendors & Products Vmware
Vmware spring Ai

Tue, 28 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Description In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.
Title VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Vmware Spring Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-04-28T06:49:32.025Z

Reserved: 2026-04-16T02:18:56.133Z

Link: CVE-2026-40966

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-28T08:16:01.283

Modified: 2026-04-28T08:16:01.283

Link: CVE-2026-40966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:30:31Z

Weaknesses