Data Destruction and Memory Poisoning: Spring AI Vulnerabilities Threaten LLM Integrity

Spring AI, a popular framework designed to simplify AI integration for Spring developers, has issued an security bulletin addressing three severe vulnerabilities.

Ranging from data destruction to cross-user data leakage and prompt injection, these flaws threaten the integrity and confidentiality of AI-driven applications. Security teams managing Spring AI deployments must prioritize these patches immediately.

Here is a breakdown of the three vulnerabilities currently threatening Spring AI infrastructure.

Data Destruction via Milvus (CVE-2026-41705)

Carrying the highest severity score of the group (CVSS 8.6), this vulnerability represents a direct threat to the integrity of your vector databases.

The flaw exists within how the framework handles database deletions. Specifically, “Spring Al’s Milvus VectorStore#doDelete (List) implementation is vulnerable to filter-expression injection via unsanitized document IDs”. By passing specially crafted, unsanitized inputs into the deletion method, an attacker can manipulate the filter expression, potentially triggering widespread and unauthorized data destruction within the Milvus VectorStore.

Memory Poisoning (CVE-2026-41713)

Tracked with a CVSS score of 8.2, this vulnerability highlights the unique dangers of persistent AI conversations. The flaw resides in the PromptChatMemoryAdvisor component.

Unlike traditional SQL injections that target databases, this is a psychological attack on the LLM itself. According to the advisory, “A malicious user could craft input that is stored in conversation memory and later interpreted by the model in an unintended way”. Because the poisoned input is stored and recalled later, applications processing user-controlled input become “susceptible to manipulation of model behavior across conversation turns”. This allows attackers to slowly manipulate the AI’s guardrails or output logic over the course of a seemingly benign chat session.

Cross-User Data Leakage (CVE-2026-41712)

With a CVSS score of 7.5, this vulnerability exposes a critical architectural oversight regarding how Spring AI segregates user sessions.

The issue stems from a hardcoded fallback value. The report warns that “Spring Al’s chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users”. If developers failed to manually assign a unique ID to every user’s chat session, the framework defaulted to a shared DEFAULT_CONVERSATION_ID, inadvertently merging different users’ chat histories and exposing sensitive queries to strangers.

To resolve this, “This fix removes the implicit default conversation ID”. Developers must be aware that “Applications that do not explicitly pass a conversationId to memory advisors will throw an exception after upgrading”. Before deploying the patch, ensure your code explicitly sets the conversation identifier using .advisors(a -> a.param(ChatMemory.CONVERSATION_ID, id)).

Remediation: Upgrade Paths

These three vulnerabilities affect applications running Spring AI versions 1.0.0 through 1.0.x, as well as 1.1.0 through 1.1.x.

The Spring maintainers have released Open Source Software (OSS) patches for both branches. Users of affected versions should upgrade to the corresponding fixed version:

• If you are on the 1.0.x branch: Upgrade immediately to 1.0.7.
• If you are on the 1.1.x branch: Upgrade immediately to 1.1.6.

As AI frameworks mature, they are becoming prime targets for novel exploitation techniques. Audit your Spring AI dependencies today to ensure your AI endpoints aren’t leaking data or susceptible to malicious memory tampering.