CVE-2026-41712

Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1	US Government Resource
https://spring.io/security/cve-2026-41712	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:vmware:spring_ai::::::::
	cpe:2.3:a:vmware:spring_ai::::::::

History

12 May 2026, 19:26

Type	Values Removed	Values Added
First Time		Vmware Vmware spring Ai
CWE		CWE-276
References	~~() https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1 -~~	() https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N&version=3.1 - US Government Resource
References	~~() https://spring.io/security/cve-2026-41712 -~~	() https://spring.io/security/cve-2026-41712 - Vendor Advisory
CPE		cpe:2.3:a:vmware:spring_ai::::::::

12 May 2026, 11:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-12 11:16

Updated : 2026-05-12 19:26

NVD link : CVE-2026-41712

Mitre link : CVE-2026-41712

CVE.ORG link : CVE-2026-41712

JSON object : View

Products Affected

vmware

spring_ai

CWE

CWE-276

Incorrect Default Permissions

7.5 /10