Improper access control in Spring AI - CVE-2026-41712
Published: May 11, 2026
Vulnerability identifier: #VU130983
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-41712
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Spring AI
Spring AI
Software vendor:
Pivotal
Pivotal
Description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the chat memory component when using the default conversation identifier. A remote attacker can access conversation data associated with the shared default identifier to disclose sensitive information.
The issue occurs when applications do not explicitly override the default conversation ID.
Remediation
Install security update from vendor's website.