Improper access control in Spring AI - CVE-2026-41712

 

Improper access control in Spring AI - CVE-2026-41712

Published: May 11, 2026


Vulnerability identifier: #VU130983
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-41712
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Pivotal
Affected software:
Spring AI

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the chat memory component when using the default conversation identifier. A remote attacker can access conversation data associated with the shared default identifier to disclose sensitive information.

The issue occurs when applications do not explicitly override the default conversation ID.


How to mitigate CVE-2026-41712

Install security update from vendor's website.

Sources