CVE-2026-41713 Overview
CVE-2026-41713 affects VMware Spring AI, the framework that integrates large language model (LLM) capabilities into Spring applications. The flaw allows a malicious user to craft input that is stored in conversation memory and later interpreted by the model in an unintended way. Applications using the affected advisor with user-controlled input may be susceptible to manipulation of model behavior across conversation turns. This is a stored prompt injection issue tracked under CWE-1336, Improper Neutralization of Special Elements Used in a Template Engine. Spring has published an advisory at Spring Security CVE-2026-41713.
Critical Impact
Attackers can persist malicious instructions in conversation memory, hijacking model behavior across sessions and influencing decisions made by downstream Spring AI applications.
Affected Products
- VMware Spring AI (versions referenced in the vendor advisory)
- Spring applications using the affected conversation memory advisor with user-controlled input
- Downstream services consuming model output from vulnerable advisors
Discovery Timeline
- 2026-05-12 - CVE-2026-41713 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-41713
Vulnerability Analysis
The vulnerability resides in Spring AI's conversation memory advisor. Spring AI stores prior user and assistant turns to provide context for subsequent LLM invocations. When user-supplied content is appended to memory without neutralization, attacker-controlled tokens are later re-presented to the model as part of the prompt template. The model cannot distinguish system instructions from attacker-injected directives, leading to manipulated outputs.
The issue is classified as [CWE-1336] (Improper Neutralization of Special Elements Used in a Template Engine). Confidentiality impact is limited, but integrity impact is high because the model's reasoning and downstream actions can be steered by injected content. Availability is not affected.
Root Cause
The advisor concatenates raw user input into the prompt template used for subsequent turns. No filtering, role-tagging, or content boundary enforcement separates persisted user content from system or developer instructions. Once stored, the malicious tokens influence every later inference that loads that memory window.
Attack Vector
The attack is network-reachable, requires no authentication, and no user interaction. An attacker submits a chat message containing instructions such as overriding the system prompt, exfiltrating context, or producing biased output. The advisor stores the message verbatim. On the next turn, the model consumes the poisoned memory and follows the injected instructions instead of the developer-defined behavior.
The vulnerability is described in prose only because no verified proof-of-concept code is published. See the Spring Security advisory for vendor-specified exploitation conditions.
Detection Methods for CVE-2026-41713
Indicators of Compromise
- Conversation memory entries containing role-override phrases such as "ignore previous instructions", "you are now", or embedded system prompt delimiters.
- LLM responses that deviate from the application's defined persona, tool-use policy, or output schema after a specific user turn.
- Spring AI logs showing user messages with unusual token lengths, control characters, or template syntax.
Detection Strategies
- Inspect persisted conversation memory stores (vector DB, Redis, JDBC) for injection patterns before they are replayed to the model.
- Compare model outputs against a policy classifier to flag responses that violate guardrails after memory load.
- Enable Spring AI request and response logging to correlate poisoned memory entries with downstream behavior changes.
Monitoring Recommendations
- Alert on chat sessions where memory size grows abnormally or contains repeated instruction-like phrases.
- Track per-user anomaly scores for prompts containing template control tokens or escape sequences.
- Forward Spring AI application logs to a centralized analytics platform and apply detection rules for known prompt injection signatures.
How to Mitigate CVE-2026-41713
Immediate Actions Required
- Upgrade Spring AI to the fixed version listed in the Spring Security advisory.
- Audit existing conversation memory stores and purge entries containing injection payloads.
- Restrict the affected advisor to authenticated, lower-trust contexts until patching is complete.
Patch Information
VMware has published remediation guidance in the Spring Security CVE-2026-41713 advisory. Apply the recommended Spring AI release and review advisor configuration for any custom memory implementations that may inherit the same pattern.
Workarounds
- Sanitize user input before persistence by stripping template delimiters and instruction-like phrases.
- Wrap persisted user turns in explicit role tags so the model treats them as data, not instructions.
- Limit conversation memory scope to short windows and clear memory between privileged operations.
- Place an output guardrail or policy filter between the model and downstream tools to block injected directives.
# Configuration example - pin Spring AI to a patched release in Maven
mvn versions:use-dep-version -Dincludes=org.springframework.ai:spring-ai-core -DdepVersion=<patched-version> -DforceVersion=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
