Description
Spring Boot Admin Server before 4.1.2 contains a server-side request forgery vulnerability that allows unauthenticated attackers to register instances with attacker-controlled healthUrl and managementUrl parameters without validation against private IP ranges or metadata endpoints. Attackers can force the server to make HTTP requests to arbitrary internal addresses and retrieve response bodies via the actuator proxy to exfiltrate cloud credentials.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Mon, 13 Jul 2026 23:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Codecentric
Codecentric spring Boot Admin |
|
| Vendors & Products |
Codecentric
Codecentric spring Boot Admin |
Mon, 13 Jul 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Spring Boot Admin Server before 4.1.2 contains a server-side request forgery vulnerability that allows unauthenticated attackers to register instances with attacker-controlled healthUrl and managementUrl parameters without validation against private IP ranges or metadata endpoints. Attackers can force the server to make HTTP requests to arbitrary internal addresses and retrieve response bodies via the actuator proxy to exfiltrate cloud credentials. | |
| Title | Spring Boot Admin Server < 4.1.2 SSRF via Unauthenticated Instance Registration | |
| Weaknesses | CWE-918 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-13T21:04:26.002Z
Reserved: 2026-07-13T16:41:09.007Z
Link: CVE-2026-62242
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-13T22:45:03Z
Weaknesses
-
CWE-918
Server-Side Request Forgery (SSRF)