CVE-2026-40966 — In Spring AI, an attacker can bypass conversation isolation
CVE-2026-40966 — In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-su
What This Means For You
- If your environment is affected by CWE-284, review your exposure and prioritize patching based on your environment. Monitor vendor advisories for CVE-2026-40966 updates and patches.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Spring AI Conversation Isolation Bypass via conversationId injection - CVE-2026-40966
title: Spring AI Conversation Isolation Bypass via conversationId injection - CVE-2026-40966
id: scw-2026-04-28-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-40966 by injecting malicious logic into the conversationId parameter of a web request targeting a Spring AI application. This injection can bypass conversation isolation, allowing an attacker to exfiltrate sensitive data from other users' chat histories. This rule specifically looks for POST requests to common API chat endpoints containing the 'conversationId=' parameter in the query string, which is a key indicator of the exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-40966/
tags:
- attack.defense_evasion
- attack.t1537
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'conversationId='
cs-uri|contains:
- '/api/chat'
cs-method|exact:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40966 | vulnerability | CVE-2026-40966 |
| CWE-284 | weakness | CWE-284 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 28, 2026 at 11:16 UTC |
This content was curated and summarized by Shimi's Cyber World for informational purposes. It is not copied or republished in full. All intellectual property rights remain with the original author and source.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7280 — Code Execution
CVE-2026-7280 — AVACAST developed by eMPIA Technology has a Unquoted Service Path vulnerability, allowing privileged local attackers to place a malicious executable file in a...
AVACAST DLL Hijacking (CVE-2026-7279) Allows System Code Execution
CVE-2026-7279 — AVACAST developed by eMPIA Technology, has a DLL Hijacking vulnerability, allowing authenticated local attackers to place a malicious DLL in a specific directory,...
CVE-2026-7264 — SQL Injection
CVE-2026-7264 — A weakness has been identified in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is the function get_cart_items of the file /admin/ajax.php?action=get_cart_items. Executing a manipulation...