CVE-2026-40966

MEDIUM5.9EPSS 0.05%

Spring AI's VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration

發布日:2026/4/28修改日:2026/5/6

描述

In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.

受影響套件(1)

Maven/org.springframework.ai:spring-ai-advisors-vector-store>= 1.0.0, < 1.0.6

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-40966
PATCHhttps://github.com/spring-projects/spring-ai
WEBhttps://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
WEBhttps://spring.io/security/cve-2026-40966