Spring AI: ChatMemory DEFAULT_CONVERSATION_ID causes unintended cross-user data leakage

GHSA-q62f-h9x2-gcqc · CVE-2026-41712

Published May 12, 2026 · Modified May 26, 2026

Description

Spring AI's chat memory component contained a problematic default that, when not explicitly overridden, could result in unintended data exposure between users.

References

7.5 / 10

HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Packages

Maven/org.springframework.ai:spring-ai-advisors-vector-store

Fix 1.0.7, 1.1.6, 2.0.0-M6

Introduced 0, 1.1.0-M1, 2.0.0-M1

26 affected versions

1.0.01.0.0-M71.0.0-M81.0.0-RC11.0.11.0.21.0.31.0.41.0.51.0.61.1.01.1.0-M11.1.0-M21.1.0-M31.1.0-M41.1.0-RC11.1.11.1.21.1.31.1.4 +6 more

Maven/org.springframework.ai:spring-ai-client-chat

Fix 1.0.7, 1.1.6, 2.0.0-M6

Introduced 0, 1.1.0-M1, 2.0.0-M1

26 affected versions

1.0.01.0.0-M71.0.0-M81.0.0-RC11.0.11.0.21.0.31.0.41.0.51.0.61.1.01.1.0-M11.1.0-M21.1.0-M31.1.0-M41.1.0-RC11.1.11.1.21.1.31.1.4 +6 more

Maven/org.springframework.ai:spring-ai-model

Fix 1.0.7, 1.1.6, 2.0.0-M6

Introduced 0, 1.1.0-M1, 2.0.0-M1

26 affected versions

1.0.01.0.0-M71.0.0-M81.0.0-RC11.0.11.0.21.0.31.0.41.0.51.0.61.1.01.1.0-M11.1.0-M21.1.0-M31.1.0-M41.1.0-RC11.1.11.1.21.1.31.1.4 +6 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes