HIGHCVE-2026-41712Published 2026-05-12Modified 2026-05-12CNA vmware

CVE-2026-41712: ChatMemory DEFAULT_CONVERSATION_ID causes unintended cross-user data leakage

Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 1.0.7
Affected Products: 1

Fix available

1.0.71.1.6

Affected packages

VMware / Spring AI
< 1.0.7 (from 1.0.0) · < 1.1.6 (from 1.1.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

spring.io
nvd.nist.gov

Metrics

Fix available