CVE-2026-41712

Description

Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected products

VMware / Spring AI1.0.0 – 1.0.7
VMware / Spring AI1.1.0 – 1.1.6

References

MISChttps://spring.io/security/cve-2026-41712
CONFIRMhttps://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1