What is CVE-2026-40966?

CVE-2026-40966 is a medium-severity vulnerability in Vmware Spring Ai, classified under Improper Access Control. CVSS score: 5.9/10. Published 2026-04-28.

How severe is CVE-2026-40966?

Medium severity. CVSS v3 base score is 5.9 out of 10.

Vulnerability in Vmware Spring Ai

CVE-2026-40966

In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other users’ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use V…

EPSS: 0.001 (17.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.9 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N.

Affected products

Vmware Spring Ai — versions 1.0.0, 1.1.0
Vmware Spring_ai

Weakness classification (CWE)

CWE-284 — Improper Access Control

References

security@vmware.com (Vendor Advisory)
security@vmware.com (US Government Resource)

Frequently asked questions

What is CVE-2026-40966?: CVE-2026-40966 is a medium-severity vulnerability in Vmware Spring Ai, classified under Improper Access Control. CVSS score: 5.9/10. Published 2026-04-28.
How severe is CVE-2026-40966?: Medium severity. CVSS v3 base score is 5.9 out of 10.