← Voltar para CVEs
CVE-2026-40966
MEDIUM5.9
Descricao
In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.
Detalhes CVE
Pontuacao CVSS v3.15.9
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Vetor de ataqueNETWORK
ComplexidadeHIGH
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado4/28/2026
Ultima modificacao4/29/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
vmware:spring_ai
Fraquezas (CWE)
CWE-284
Referencias
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N(security@vmware.com)
https://spring.io/security/cve-2026-40966(security@vmware.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.