Cyber Resilience

CVE-2026-22742

High

Published: 27 March 2026

Published
27 March 2026
Modified
10 May 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0035 27.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22742 is a high-severity SSRF (CWE-918) vulnerability in Vmware Spring Ai. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as NLP and Transformers; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-22742 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, in the BedrockProxyChatModel component of Spring AI's spring-ai-bedrock-converse module. The flaw arises from insufficient validation of user-supplied media URLs in multimodal messages, enabling the server to issue HTTP requests to unintended internal or external destinations. It affects Spring AI versions from 1.0.0 before 1.0.5 and from 1.1.0 before 1.1.4, with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to its network accessibility, low complexity, lack of required privileges or user interaction, cross-scope impact, and high confidentiality consequences.

Remote, unauthenticated attackers can exploit this vulnerability by submitting multimodal messages containing malicious media URLs to a vulnerable Spring AI application. Successful exploitation induces the server to make unauthorized HTTP requests on the attacker's behalf, potentially allowing access to internal network resources, metadata services, or external endpoints that the server can reach but users cannot. While integrity and availability are not directly impacted, the high confidentiality score reflects risks such as data exfiltration from behind firewalls or cloud metadata exposure.

The official Spring security advisory at https://spring.io/security/cve-2026-22742 details the issue and recommends upgrading to Spring AI 1.0.5 or later for the 1.0.x branch, or 1.1.4 or later for the 1.1.x branch, as these versions include fixes for URL validation.

This vulnerability is relevant to AI/ML practitioners using Spring AI integrations with AWS Bedrock for conversational models, highlighting risks in proxying user-supplied content in multimodal AI workflows. No public reports of real-world exploitation were available as of the CVE publication on 2026-03-27.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery (SSRF) vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal…

more

or external destinations. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.

CWE(s)

AI Security AnalysisAI

AI Category
NLP and Transformers
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF directly enables remote exploitation of a public-facing AI application (T1190) and unauthorized access to internal/cloud metadata endpoints (T1522).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22738Same product: Vmware Spring Ai
CVE-2026-41705Same product: Vmware Spring Ai
CVE-2026-22729Same product: Vmware Spring Ai
CVE-2026-22744Same product: Vmware Spring Ai
CVE-2026-40967Same product: Vmware Spring Ai
CVE-2026-22730Same product: Vmware Spring Ai
CVE-2026-40978Same product: Vmware Spring Ai
CVE-2026-22743Same product: Vmware Spring Ai
CVE-2026-41712Same product: Vmware Spring Ai
CVE-2026-41713Same product: Vmware Spring Ai

Affected Assets

vmware
spring ai
1.0.0 — 1.0.5 · 1.1.0 — 1.1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the insufficient validation of user-supplied media URLs by requiring validation to prevent SSRF-induced requests to unauthorized destinations.

prevent

Enforces information flow control policies that restrict the BedrockProxyChatModel from issuing HTTP requests to unintended internal or external destinations.

prevent

Provides boundary protection to block unauthorized outbound HTTP requests from the vulnerable Spring AI component to internal network resources or metadata services.

References