Server-Side Request Forgery in BedrockProxyChatModel via Unvalidated Media URL Fetching

Description

A vulnerability identified as critical has been detected in VMware Spring AI up to 1.0.4/1.1.3. This affects an unknown part of the component Multimodal Message Handler. Performing a manipulation results in server-side request forgery. The attack is possible to be carried out remotely.

Affected Products

Vendor	Product	Versions
spring	spring ai	1.0.0, 1.1.0, 1.0.4, 1.1.3

References

https://spring.io/security/cve-2026-22742

Related News (1 articles)

Tier C

VulDB6h ago

CVE-2026-22742 | VMware Spring AI up to 1.0.4/1.1.3 Multimodal Message server-side request forgery

→ No new info (linked only)

CVSS 3.18.6 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Published3/27/2026

Last enriched5h agov2

Trending Score49

Source articles1

Independent1

Info Completeness7/14

Missing: epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Version History

Last enriched 5h ago

v2Tier C5h ago

Updated vendor to VMware, product details, affected versions, severity to CRITICAL, and noted that no exploit exists.

descriptionaffectedVersionsseverityactivelyExploited

via VulDB

v17h ago

Initial creation