CVE-2026-41712 | THREATINT

Description

Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users.

PUBLISHED Reserved 2026-04-22 | Published 2026-05-12 | Updated 2026-05-12 | Assigner vmware

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

Product status

Default status

unaffected

1.0.0 (semver) before 1.0.7

affected

1.1.0 (semver) before 1.1.6

affected

Credits

Ahmed Sekka (GitHub: https://github.com/ahmed-sekka ); sharlongwen

References

spring.io/security/cve-2026-41712

nvd.nist.gov/...N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1

cve.org (CVE-2026-41712)

nvd.nist.gov (CVE-2026-41712)

Download JSON