EUVD-2026-16537
GHSA-mhrg-94vw-45c5
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
5Blast Radius
ecosystem impact- 1 maven packages depend on org.springframework.ai:spring-ai-bedrock-converse (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 1.0.0-M5.
DescriptionCVE.org
Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery (SSRF) vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal or external destinations. This issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4.
AnalysisAI
Server-Side Request Forgery in Spring AI Bedrock Converse module enables unauthenticated remote attackers to force the application server to issue HTTP requests to arbitrary internal or external destinations by supplying malicious media URLs in multimodal messages. Spring AI versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Spring AI versions 1.0.0-1.0.4 or 1.1.0-1.1.3 with spring-ai-bedrock-converse module enabled. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS v3.1 score of 8.6 reflects significant real-world risk driven by network-based attack vector (AV:N), low attack complexity (AC:L), no authentication required (PR:N), no user interaction needed (UI:N), and changed scope (S:C) with high confidentiality impact (C:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted multimodal message to a Spring AI application endpoint, embedding a malicious media URL pointing to an internal cloud metadata service (http://169.254.169.254/latest/meta-data/iam/security-credentials/). The BedrockProxyChatModel processes the message and fetches content from the attacker-controlled URL without validation. … |
| Remediation | Upgrade Spring AI to version 1.0.5 or later for the 1.0.x branch, or to version 1.1.4 or later for the 1.1.x branch, as documented in the Spring security advisory at https://spring.io/security/cve-2026-22742. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all applications using Spring AI Bedrock Converse and identify affected versions (1.0.0-1.0.4, 1.1.0-1.1.3). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof
Denial-of-service in Spring Cloud Sleuth 3.1.0 through 3.1.13 allows remote unauthenticated attackers to exhaust applica
Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re
Share
External POC / Exploit Code
Leaving vuln.today