{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22742", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-01-09T06:54:49.675Z", "datePublished": "2026-03-27T05:27:41.165Z", "dateUpdated": "2026-05-10T13:03:54.063Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-27T05:27:41.165Z"}, "title": "Server-Side Request Forgery in BedrockProxyChatModel via Unvalidated Media URL Fetching", "affected": [{"vendor": "Spring", "product": "Spring AI", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.0.5", "versionType": "custom"}, {"status": "affected", "version": "1.1.0", "lessThan": "1.1.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Spring AI's spring-ai-bedrock-converse\u00a0contains a Server-Side Request Forgery (SSRF) vulnerability in\u00a0BedrockProxyChatModel\u00a0when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal or external destinations.\nThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<code>Spring AI's spring-ai-bedrock-converse</code>&nbsp;contains a Server-Side Request Forgery (SSRF) vulnerability in&nbsp;<code>BedrockProxyChatModel</code>&nbsp;when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal or external destinations.<br><p>This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.</p>"}]}], "references": [{"url": "https://spring.io/security/cve-2026-22742"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T19:24:16.998653Z", "id": "CVE-2026-22742", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-10T13:03:54.063Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22742", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T19:24:16.998653Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:30:37.969Z"}}], "cna": {"title": "Server-Side Request Forgery in BedrockProxyChatModel via Unvalidated Media URL Fetching", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring AI", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.0.5", "versionType": "custom"}, {"status": "affected", "version": "1.1.0", "lessThan": "1.1.4", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-22742"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Spring AI's spring-ai-bedrock-converse\u00a0contains a Server-Side Request Forgery (SSRF) vulnerability in\u00a0BedrockProxyChatModel\u00a0when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal or external destinations.\nThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.", "supportingMedia": [{"type": "text/html", "value": "<code>Spring AI's spring-ai-bedrock-converse</code>&nbsp;contains a Server-Side Request Forgery (SSRF) vulnerability in&nbsp;<code>BedrockProxyChatModel</code>&nbsp;when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal or external destinations.<br><p>This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.</p>", "base64": false}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-03-27T05:27:41.165Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22742", "state": "PUBLISHED", "dateUpdated": "2026-05-10T13:03:54.063Z", "dateReserved": "2026-01-09T06:54:49.675Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-03-27T05:27:41.165Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*", "matchCriteriaId": "28BAEC64-E23B-478B-B206-5580BB00516F", "versionEndExcluding": "1.0.5", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3774C35-AE82-486B-8E13-8FCC34D3CA30", "versionEndExcluding": "1.1.4", "versionStartIncluding": "1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Spring AI's spring-ai-bedrock-converse\u00a0contains a Server-Side Request Forgery (SSRF) vulnerability in\u00a0BedrockProxyChatModel\u00a0when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal or external destinations.\nThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4."}], "id": "CVE-2026-22742", "lastModified": "2026-05-10T14:16:48.260", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-03-27T06:16:37.833", "references": [{"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://spring.io/security/cve-2026-22742"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,1.0.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.1.0,1.1.4)"}}], "enrichment": {"confidence": 90.0, "confidence_source": "matching", "scores": [{"score": 90.0, "source": "matching"}]}, "original": {"product": "Spring AI", "source": "cna", "vendor": "Spring"}, "product": "spring", "vendor": "spring"}], "analysis": {"en": {"generated_at": "2026-03-27T21:20:26.285653+00:00", "value": {"mitigation_remediation": ["Upgrade Spring AI spring\u2011ai\u2011bedrock\u2011converse to version 1.0.5 or later, or to 1.1.4 or later if on the 1.1.x line.", "If an upgrade cannot be performed immediately, enforce strict validation of media URLs, whitelisting only trusted external domains and blocking internal IP ranges.", "Enable detailed logging of outbound HTTP requests to detect any unauthorized or unexpected fetches.", "Consider network segmentation or firewall rules that prevent the server from reaching sensitive internal resources until the vulnerability is resolved."], "summary": {"action": "Immediate Patch", "impact": "Server\u2011Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Spring AI\u2019s spring\u2011ai\u2011bedrock\u2011converse package, versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3, is affected. The issue remains in all releases prior to 1.0.5 and 1.1.4.", "description_and_impact": "This vulnerability allows an attacker to supply a malicious media URL in a multimodal message, causing the BedrockProxyChatModel to fetch that URL without proper validation. The resulting server\u2011side request can target internal or external resources, potentially exposing sensitive data or providing a pivot to internal services. The flaw does not directly grant code execution but enables unauthorized network access and data exfiltration.", "risk_and_exploitability": "The CVSS score of 8.6 marks it as high severity, and the EPSS score is below 1%, indicating low current exploitation probability. The vulnerability is not listed in the KEV catalog, suggesting no publicly confirmed exploits. However, the attack vector\u2014sending a crafted multimodal message\u2014is straightforward for any actor with message\u2011sending access, making the risk significant for exposed deployments."}}}}, "created": "2026-03-27T09:22:10.286971+00:00", "updated": "2026-03-30T07:59:52.122817+00:00", "vendors": ["spring", "spring$PRODUCT$spring"], "weaknesses": ["CWE-918"]}