CVE-2026-40966 — Spring AI's VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-

Description

In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.

How to fix CVE-2026-40966

To remediate CVE-2026-40966, upgrade the affected package to a fixed version below.

—upgrade to 1.0.6 or later

Is CVE-2026-40966 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.0.0, < 1.0.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-40966
PATCHgithub.com/spring-projects/spring-ai
WEBnvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
WEBspring.io/security/cve-2026-40966