CVE-2026-41713

The vulnerability is a prompt injection in Spring AI's PromptChatMemoryAdvisor, where a malicious user can craft input that gets stored in conversation memory and later interpreted by the model in an unintended way [2]. This is a form of memory poisoning that can alter the model's behavior across turns.

An attacker with the ability to send user-controlled input to an application using the affected advisor can inject malicious content into the conversation history. No authentication is required (CVSS PR:N), and the attack is network-based (AV:N) with low complexity [1]. The injected input is stored and later retrieved, causing the model to act on the poisoned context.

Successful exploitation leads to integrity impact (I:H) as the attacker can manipulate model responses, potentially causing the application to generate incorrect or harmful outputs. Confidentiality impact is low (C:L) as the attacker may gain limited information [1]. The attack does not require privileges or user interaction.

Spring has released patches in versions 1.0.7 and 1.1.6 for the affected 1.0.x and 1.1.x branches [2]. Users should upgrade immediately. No workarounds are mentioned. The vulnerability was reported by Ahmed Sekka [2].