PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-22742 Vmware CVE debrief

CVE-2026-22742 describes a server-side request forgery (SSRF) issue in Spring AI's spring-ai-bedrock-converse component. When BedrockProxyChatModel processes multimodal messages that include user-supplied media URLs, insufficient validation can let an attacker cause the server to send HTTP requests to unintended destinations. The issue is rated HIGH with CVSS 8.6 and affects Spring AI versions from 1.0.0 before 1.0.5 and from 1.1.0 before 1.1.4.

Vendor
Vmware
Product
CVE-2026-22742
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-27
Original CVE updated
2026-05-10
Advisory published
2026-03-27
Advisory updated
2026-05-10

Who should care

Teams running Spring AI workloads that accept multimodal input, especially applications using BedrockProxyChatModel or otherwise ingesting user-controlled media URLs. Cloud platform operators and defenders concerned with outbound request control and internal network exposure should also treat this as relevant.

Technical summary

According to the NVD entry and linked vendor advisory, the flaw is an SSRF weakness (CWE-918) in BedrockProxyChatModel. The vulnerable behavior occurs during processing of multimodal messages containing user-supplied media URLs, where validation is insufficient to prevent server-initiated HTTP requests to unintended internal or external targets. NVD lists the attack vector as network, with no privileges or user interaction required and a changed scope, consistent with the published CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N.

Defensive priority

High. This is a network-reachable SSRF issue with no privileges required, no user interaction required, and potential access to high-value internal or external destinations through server-side outbound requests.

Recommended defensive actions

  • Upgrade Spring AI to a fixed release: 1.0.5 or later for the 1.0.x line, or 1.1.4 or later for the 1.1.x line.
  • Review any use of BedrockProxyChatModel or other multimodal features that accept user-supplied media URLs.
  • Apply strict validation and allowlisting for outbound media URLs before they are fetched server-side.
  • Restrict egress from the affected service so it cannot reach sensitive internal ranges or metadata endpoints unless explicitly required.
  • Monitor outbound HTTP requests from affected applications for unusual destinations or request patterns.
  • Use network segmentation and least-privilege service access to limit the impact of any server-side request forgery.

Evidence notes

The CVE description states that spring-ai-bedrock-converse contains an SSRF vulnerability in BedrockProxyChatModel when processing multimodal messages with user-supplied media URLs. NVD records affected versions as 1.0.0 before 1.0.5 and 1.1.0 before 1.1.4, and classifies the weakness as CWE-918. The linked vendor advisory is https://spring.io/security/cve-2026-22742.

Official resources

Published by the official CVE record on 2026-03-27T06:16:37.833Z and modified on 2026-05-10T14:16:48.260Z. This debrief relies on the official CVE/NVD record and the linked vendor advisory; no exploit details are included.