Server-Side Request Forgery Vulnerability in Spring Boot Admin Pre 4.1.2
CVE-2026-62242
Key Information:
- Vendor
Codecentric
- Status
- Vendor
- CVE Published:
- 13 July 2026
Badges
What is CVE-2026-62242?
The Spring Boot Admin Server prior to version 4.1.2 contains a vulnerability that permits unauthenticated attackers to exploit server-side request forgery (SSRF). This flaw allows malicious actors to register instances with manipulated healthUrl and managementUrl parameters, bypassing validation checks against private IP ranges or metadata endpoints. As a result, attackers can coerce the server into making HTTP requests to unauthorized internal addresses, thereby retrieving sensitive response bodies through the actuator proxy, which may expose cloud credentials.
Affected Version(s)
spring-boot-admin 0 < 4.1.2
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
