Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 2 maven packages depend on org.springframework.ai:spring-ai-advisors-vector-store (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.0.0.
DescriptionCVE.org
In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.
AnalysisAI
Spring AI fails to properly isolate conversation contexts when user-supplied input is passed directly as conversationId to VectorStoreChatMemoryAdvisor, allowing remote unauthenticated attackers to inject filter logic that exfiltrates sensitive data from other users' chat histories, including secrets and credentials. Exploitation requires moderately complex attack construction (AC:H) but no user interaction, affecting only applications with the specific vulnerable configuration pattern.
Technical ContextAI
Spring AI's VectorStoreChatMemoryAdvisor component manages conversation history storage and retrieval using vector databases. The vulnerability stems from insufficient input validation on the conversationId parameter, which is used to construct database query filters. When an application directly passes user-supplied input as conversationId without sanitization, attackers can inject filter bypass logic (analogous to SQL injection or NoSQL injection patterns) to retrieve conversation records belonging to other users. The underlying issue is a lack of proper access control enforcement at the query construction layer (CWE-284: Improper Access Control), allowing an authenticated or unauthenticated actor to circumvent the intended conversation isolation boundary.
RemediationAI
Vendors must release a patched version of Spring AI that implements input validation and sanitization on the conversationId parameter, or enforce static, application-generated conversation identifiers rather than accepting user-supplied input. Affected applications should immediately audit code to identify any instances where conversationId is derived from user input, and implement one of the following compensating controls: (1) Use static, server-generated conversation identifiers instead of user-supplied values, regenerating them server-side and mapping them to user sessions; (2) If user-supplied conversationId is required, implement strict allowlist validation (e.g., alphanumeric characters only, maximum length) before passing to VectorStoreChatMemoryAdvisor; (3) Add database-layer access control to ensure queries for conversation history include an explicit user/session identifier filter that cannot be bypassed by conversationId injection. The first option eliminates the attack surface entirely with no performance impact. The second requires careful payload analysis to ensure the allowlist cannot be circumvented. The third adds query construction complexity but allows user-facing conversationId if needed. Monitor conversation history retrieval logs for anomalous patterns (requests accessing conversations belonging to different user sessions). For non-vulnerable versions and patched releases, consult https://spring.io/security/cve-2026-40966.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26002