VYPR
High severity7.5NVD Advisory· Published May 12, 2026· Updated May 12, 2026

CVE-2026-41712

CVE-2026-41712

Description

Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework.ai:spring-ai-client-chatMaven
< 1.0.71.0.7
org.springframework.ai:spring-ai-client-chatMaven
>= 1.1.0-M1, < 1.1.61.1.6
org.springframework.ai:spring-ai-client-chatMaven
>= 2.0.0-M1, < 2.0.0-M62.0.0-M6
org.springframework.ai:spring-ai-modelMaven
< 1.0.71.0.7
org.springframework.ai:spring-ai-modelMaven
>= 1.1.0-M1, < 1.1.61.1.6
org.springframework.ai:spring-ai-modelMaven
>= 2.0.0-M1, < 2.0.0-M62.0.0-M6
org.springframework.ai:spring-ai-advisors-vector-storeMaven
< 1.0.71.0.7
org.springframework.ai:spring-ai-advisors-vector-storeMaven
>= 1.1.0-M1, < 1.1.61.1.6
org.springframework.ai:spring-ai-advisors-vector-storeMaven
>= 2.0.0-M1, < 2.0.0-M62.0.0-M6

Affected products

4

Patches

Vulnerability mechanics

References

5

News mentions

1