CVE-2026-22742
Published: 27 March 2026
Summary
CVE-2026-22742 is a high-severity SSRF (CWE-918) vulnerability in Vmware Spring Ai. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the insufficient validation of user-supplied media URLs by requiring validation to prevent SSRF-induced requests to unauthorized destinations.
Enforces information flow control policies that restrict the BedrockProxyChatModel from issuing HTTP requests to unintended internal or external destinations.
Provides boundary protection to block unauthorized outbound HTTP requests from the vulnerable Spring AI component to internal network resources or metadata services.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF directly enables remote exploitation of a public-facing AI application (T1190) and unauthorized access to internal/cloud metadata endpoints (T1522).
NVD Description
Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery (SSRF) vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal…
more
or external destinations. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
Deeper analysisAI
CVE-2026-22742 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, in the BedrockProxyChatModel component of Spring AI's spring-ai-bedrock-converse module. The flaw arises from insufficient validation of user-supplied media URLs in multimodal messages, enabling the server to issue HTTP requests to unintended internal or external destinations. It affects Spring AI versions from 1.0.0 before 1.0.5 and from 1.1.0 before 1.1.4, with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to its network accessibility, low complexity, lack of required privileges or user interaction, cross-scope impact, and high confidentiality consequences.
Remote, unauthenticated attackers can exploit this vulnerability by submitting multimodal messages containing malicious media URLs to a vulnerable Spring AI application. Successful exploitation induces the server to make unauthorized HTTP requests on the attacker's behalf, potentially allowing access to internal network resources, metadata services, or external endpoints that the server can reach but users cannot. While integrity and availability are not directly impacted, the high confidentiality score reflects risks such as data exfiltration from behind firewalls or cloud metadata exposure.
The official Spring security advisory at https://spring.io/security/cve-2026-22742 details the issue and recommends upgrading to Spring AI 1.0.5 or later for the 1.0.x branch, or 1.1.4 or later for the 1.1.x branch, as these versions include fixes for URL validation.
This vulnerability is relevant to AI/ML practitioners using Spring AI integrations with AWS Bedrock for conversational models, highlighting risks in proxying user-supplied content in multimodal AI workflows. No public reports of real-world exploitation were available as of the CVE publication on 2026-03-27.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, ai, ai