High severity7.5NVD Advisory· Published May 12, 2026· Updated May 12, 2026
CVE-2026-41712
CVE-2026-41712
Description
Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.ai:spring-ai-client-chatMaven | < 1.0.7 | 1.0.7 |
org.springframework.ai:spring-ai-client-chatMaven | >= 1.1.0-M1, < 1.1.6 | 1.1.6 |
org.springframework.ai:spring-ai-client-chatMaven | >= 2.0.0-M1, < 2.0.0-M6 | 2.0.0-M6 |
org.springframework.ai:spring-ai-modelMaven | < 1.0.7 | 1.0.7 |
org.springframework.ai:spring-ai-modelMaven | >= 1.1.0-M1, < 1.1.6 | 1.1.6 |
org.springframework.ai:spring-ai-modelMaven | >= 2.0.0-M1, < 2.0.0-M6 | 2.0.0-M6 |
org.springframework.ai:spring-ai-advisors-vector-storeMaven | < 1.0.7 | 1.0.7 |
org.springframework.ai:spring-ai-advisors-vector-storeMaven | >= 1.1.0-M1, < 1.1.6 | 1.1.6 |
org.springframework.ai:spring-ai-advisors-vector-storeMaven | >= 2.0.0-M1, < 2.0.0-M6 | 2.0.0-M6 |
Affected products
4- osv-coords2 versions
< 8.9.5-r3+ 1 more
- (no CPE)range: < 8.9.5-r3
- (no CPE)range: < 8.9.5-r3
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-q62f-h9x2-gcqcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-41712ghsaADVISORY
- spring.io/security/cve-2026-41712nvdVendor AdvisoryWEB
- github.com/spring-projects/spring-ai/commit/59ab7521f0a8f67c89359e910a20472d572b4dd9ghsaWEB
- nvd.nist.gov/vuln-metrics/cvss/v3-calculatornvdUS Government Resource
News mentions
1- ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and MoreThe Hacker News · May 18, 2026