{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40966", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-04-16T02:18:56.133Z", "datePublished": "2026-04-28T06:42:36.619Z", "dateUpdated": "2026-04-28T13:37:35.770Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-28T06:49:32.025Z"}, "title": "VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "type": "CWE"}]}], "affected": [{"vendor": "VMware", "product": "Spring AI", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.0.6", "versionType": "OSS"}, {"status": "affected", "version": "1.1.0", "lessThan": "1.1.5", "versionType": "oss"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users\u2019 chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users\u2019 chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-40966"}, {"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.9, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "credits": [{"lang": "en", "value": "Jinyeong Seol Seol-JY; Cantina's AppSec agent, Apex ( https://www.cantina.security )", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T13:18:57.595874Z", "id": "CVE-2026-40966", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:37:35.770Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40966", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-28T13:18:57.595874Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T13:37:29.665Z"}}], "cna": {"title": "VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Jinyeong Seol Seol-JY; Cantina's AppSec agent, Apex ( https://www.cantina.security )"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "VMware", "product": "Spring AI", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.0.6", "versionType": "OSS"}, {"status": "affected", "version": "1.1.0", "lessThan": "1.1.5", "versionType": "oss"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-40966"}, {"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users\u2019 chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.", "supportingMedia": [{"type": "text/html", "value": "<p>In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users\u2019 chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-04-28T06:49:32.025Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40966", "state": "PUBLISHED", "dateUpdated": "2026-04-28T13:37:35.770Z", "dateReserved": "2026-04-16T02:18:56.133Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-04-28T06:42:36.619Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*", "matchCriteriaId": "1CD6DC44-CDE8-47E4-A788-6D8AE716396F", "versionEndExcluding": "1.0.6", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*", "matchCriteriaId": "5013645B-3914-4A40-8D42-CB47344963A7", "versionEndExcluding": "1.1.5", "versionStartIncluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users\u2019 chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected."}], "id": "CVE-2026-40966", "lastModified": "2026-04-29T18:18:01.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-04-28T08:16:01.283", "references": [{"source": "security@vmware.com", "tags": ["US Government Resource"], "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}, {"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2026-40966"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security@vmware.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,1.0.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.1.0,1.1.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Spring AI", "source": "cna", "vendor": "VMware"}, "product": "spring_ai", "vendor": "vmware"}], "analysis": {"en": {"generated_at": "2026-04-28T12:24:32.931702+00:00", "value": {"mitigation_remediation": ["Apply the latest VMware Spring AI patch or update to a version where the VectorStoreChatMemoryAdvisor enforces proper isolation of conversation data.", "Sanitize and validate all user\u2011supplied conversationId values to prevent injection of filter expressions that could bypass tenant boundaries.", "Enforce strict access controls so that only authenticated, authorized users can access chat histories for their own tenant, limiting the scope of data the advisor can retrieve."], "summary": {"action": "Apply Patch", "impact": "Data exfiltration"}, "threat_synthesis": {"affected_systems": "The vulnerability affects systems that deploy VMware Spring AI with the VectorStoreChatMemoryAdvisor component and accept user\u2011provided conversation identifiers. No specific version numbers are listed; any application that relies on this advisor to scope chat memories is potentially impacted.", "description_and_impact": "VectorStoreChatMemoryAdvisor in VMware Spring AI allows an attacker to inject malicious filter logic through the conversationId parameter, bypassing conversation isolation and extracting chat history, including secrets and credentials, from other users. This flaw is an example of improper access control, enabling cross\u2011tenant data leakage without authentication.", "risk_and_exploitability": "The CVSS score of 5.9 indicates moderate severity, and the absence of an EPSS rating does not provide an estimated exploitation probability. The vulnerability is not currently catalogued in CISA\u2019s KEV list. Based on the description, the likely attack vector is via a network\u2011based API where an attacker supplies a crafted conversationId to manipulate the filter logic. Successful exploitation could lead to unauthorized disclosure of sensitive user data."}}}}, "created": "2026-04-28T09:25:18.811761+00:00", "updated": "2026-04-28T12:30:31.064179+00:00", "vendors": ["vmware", "vmware$PRODUCT$spring_ai"]}