PT-2026-28325 · Vmware · Spring Ai
Published
2026-03-18
·
Updated
2026-04-01
·
CVE-2026-22742
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Spring AI versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3
Description
Spring AI's spring-ai-bedrock-converse component has a Server-Side Request Forgery (SSRF) issue within the
BedrockProxyChatModel when handling multimodal messages containing user-provided media URLs. The lack of proper validation of these URLs allows an attacker to make the server send HTTP requests to unintended locations, either internal or external.Recommendations
Update Spring AI to version 1.0.5 or later.
Update Spring AI to version 1.1.4 or later.
Fix
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Spring Ai