Spring Boot Admin Server before 4.1.2 contains a server-side request forgery vulnerability that allows unauthenticated attackers to register instances with attacker-controlled healthUrl and managementUrl parameters without validation against private IP ranges or metadata endpoints. Attackers can force the server to make HTTP requests to arbitrary internal addresses and retrieve response bodies via the actuator proxy to exfiltrate cloud credentials.
Metrics
Affected Vendors & Products
References
History
Mon, 13 Jul 2026 23:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Codecentric
Codecentric spring Boot Admin |
|
| Vendors & Products |
Codecentric
Codecentric spring Boot Admin |
Mon, 13 Jul 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Spring Boot Admin Server before 4.1.2 contains a server-side request forgery vulnerability that allows unauthenticated attackers to register instances with attacker-controlled healthUrl and managementUrl parameters without validation against private IP ranges or metadata endpoints. Attackers can force the server to make HTTP requests to arbitrary internal addresses and retrieve response bodies via the actuator proxy to exfiltrate cloud credentials. | |
| Title | Spring Boot Admin Server < 4.1.2 SSRF via Unauthenticated Instance Registration | |
| Weaknesses | CWE-918 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-13T21:04:26.002Z
Reserved: 2026-07-13T16:41:09.007Z
Link: CVE-2026-62242
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-13T22:45:03Z