CVE-2026-22742: Spring AI SSRF — Patch Guide

Vendor-confirmed - CVE-2026-22742 is a high SSRF in Spring AI Bedrock 1.0.0-1.0.4 and 1.1.0-1.1.3 that lets attackers probe internal networks, access cloud metadata, and expose sensitive data via the BedrockProxyChatModel. Upgrade to version 1.0.5 or 1.1.4 immediately to block exploitation.

Overview

A significant security vulnerability, identified as CVE-2026-22742, has been discovered in Spring AI. This flaw is a Server-Side Request Forgery (SSRF) vulnerability that affects the spring-ai-bedrock-converse module. It poses a high risk to systems using this AI integration, with a CVSS score of 8.6.

What is the Vulnerability?

In simple terms, this vulnerability exists in the BedrockProxyChatModel component when it handles messages containing media, such as images or documents, from users. The component fetches these files from URLs provided by the user. The security flaw is that it does not properly check or restrict these URLs. An attacker can craft a message with a URL that points not to a legitimate image, but to an internal system or service that should not be accessible from the outside. The Spring AI server is then tricked into making that request, potentially exposing sensitive internal data or infrastructure.

Impact and Risks

If successfully exploited, this SSRF vulnerability can have severe consequences:

• Internal Network Reconnaissance: Attackers can scan internal networks to discover other servers, databases, or administrative panels.
• Data Exposure: The server may retrieve and reveal sensitive information from internal APIs or cloud metadata services.
• Service Disruption: Requests could be sent to critical internal systems, causing denial-of-service conditions. This type of flaw is often a first step in a larger attack chain, potentially leading to data breaches. For context on the damage caused by such incidents, you can review historical data breach reports at breach reports.

Affected Versions

The vulnerability impacts the following Spring AI releases:

• Versions 1.0.0 through 1.0.4
• Versions 1.1.0 through 1.1.3

Remediation and Mitigation

The primary and most critical action is to upgrade to a patched version of Spring AI immediately.

• Update to version 1.0.5 if you are using the 1.0.x release line.
• Update to version 1.1.4 if you are using the 1.1.x release line.

These updated versions contain the necessary validation to block malicious SSRF attempts. If an immediate update is not possible, consider temporarily disabling the processing of user-supplied media URLs in the BedrockProxyChatModel as a strict interim measure. Always ensure your software dependencies are kept up-to-date to protect against known vulnerabilities. For the latest updates on such threats, follow our security news section.

Conclusion

CVE-2026-22742 is a high-severity vulnerability that requires prompt attention. Organizations using affected versions of Spring AI should prioritize applying the available patches to secure their AI-powered applications and protect their internal network from unauthorized access.