CVE-2026-41712 Overview
CVE-2026-41712 affects Spring AI's chat memory component, where an insecure default configuration can expose conversation data across users. When applications use the component without explicitly overriding the default conversation identifier, chat history from one user can leak into another user's session. The flaw is classified under CWE-276: Incorrect Default Permissions and is exploitable over the network without authentication or user interaction. VMware published advisory details in the Spring CVE-2026-41712 advisory.
Critical Impact
Unauthenticated network attackers can read other users' chat memory content, leading to confidentiality loss across tenants in Spring AI applications that rely on the default chat memory configuration.
Affected Products
- VMware Spring AI (all versions prior to the patched release noted in the vendor advisory)
- Applications embedding the Spring AI chat memory component with default settings
- Multi-user services built on Spring AI without per-user conversation identifiers
Discovery Timeline
- 2026-05-12 - CVE-2026-41712 published to the National Vulnerability Database (NVD)
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-41712
Vulnerability Analysis
The Spring AI chat memory component stores prior conversation turns so language models can reference earlier user input. The component supports a conversation identifier that scopes memory to an individual user or session. When developers do not explicitly set this identifier, the component falls back to a shared default value.
All requests using the default value share the same memory store. A second user's conversation can therefore read or append to the first user's chat history. The flaw is an insecure default rather than a code execution bug, and its impact is limited to confidentiality of stored prompts and responses.
Because the flaw is reachable across the network and requires no privileges or interaction, any unauthenticated client of an affected Spring AI application can trigger the cross-user exposure. There are no public proof-of-concept exploits, no known in-the-wild abuse, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Root Cause
The root cause is an insecure default for the chat memory conversation identifier [CWE-276]. The component ships with a static default key rather than requiring explicit per-user or per-session scoping. Applications that instantiate the memory component without overriding this key share one logical conversation across all callers.
Attack Vector
An attacker sends chat requests to a vulnerable Spring AI endpoint without supplying a unique conversation identifier. The application resolves the request against the shared default memory bucket. The attacker then receives model responses that incorporate prompts, intermediate outputs, or sensitive content submitted by other users.
No authentication is required, complexity is low, and the attack succeeds over standard HTTP or HTTPS request paths. Technical details are described in the Spring Security advisory.
Detection Methods for CVE-2026-41712
Indicators of Compromise
- Application logs show multiple distinct client IP addresses or session tokens resolving to the same chat memory conversation identifier.
- User reports of unexpected references to prompts or responses they did not submit.
- Spring AI memory store entries containing mixed content from different tenants or accounts.
Detection Strategies
- Audit Spring AI bean configurations for usage of the chat memory component without an explicit conversation identifier override.
- Run dependency scans across build manifests to identify Spring AI versions referenced in the vendor advisory.
- Inspect application traffic for chat endpoints lacking per-user identifiers in request payloads or headers.
Monitoring Recommendations
- Log the resolved conversation identifier for every chat request and alert when one identifier is reused across multiple authenticated principals.
- Monitor LLM response content for cross-tenant data markers using data loss prevention rules tuned to your environment.
- Track Spring AI release notes and CVE feeds so newly disclosed memory component fixes are applied during routine patch cycles.
How to Mitigate CVE-2026-41712
Immediate Actions Required
- Upgrade Spring AI to the fixed version listed in the Spring CVE-2026-41712 advisory.
- Explicitly set a unique conversation identifier per authenticated user or session in every chat memory invocation.
- Review existing chat memory stores for cross-user content and purge entries that may contain leaked data.
Patch Information
VMware has released fixed Spring AI artifacts as documented in the vendor advisory. Update your build files (pom.xml or build.gradle) to reference the patched release and redeploy affected services. Validate that the chat memory component now requires or correctly applies a per-user conversation identifier.
Workarounds
- Wrap chat memory calls in a service layer that injects the authenticated principal's identifier as the conversation key.
- Disable persistent chat memory for endpoints that do not require conversational context until patching is complete.
- Apply tenant isolation at the data store layer so memory keyed to the default value cannot cross account boundaries.
# Configuration example: enforce a per-user conversation ID in Spring AI
# Pseudocode for a request-scoped configuration
chatMemory.scopeToConversationId(authenticatedUser.getId());
# Ensure no code path falls back to the library default identifier
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
