CVE-2026-22742 - Vulnerability Analysis
HighCVSS: 8.6Last Updated: March 27, 2026
Spring AI spring-ai-bedrock-converse - Server-Side Request Forgery
Published: March 27, 2026Updated: March 27, 2026Remote Exploitable
Overview
Spring AI spring-ai-bedrock-converse from 1.0.0 before 1.0.5 and from 1.1.0 before 1.1.4 contains a server-side request forgery caused by insufficient validation of user-supplied media URLs in BedrockProxyChatModel, letting attackers induce the server to make HTTP requests to unintended destinations, exploit requires crafted multimodal messages with media URLs.
Severity & Score
Severity: High
CVSS Score: 8.6
Impact
Attackers can make the server send HTTP requests to internal or external unintended destinations, potentially accessing sensitive internal resources or causing other impacts.
Mitigation
Upgrade to versions 1.0.5, 1.1.4 or later.
Related Resources
Details
- CVE ID
- CVE-2026-22742
- Severity
- High
- CVSS Score
- 8.6
- Type
- server_side_request_forgery
- Status
- new
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N