Home

Description

Spring Boot Admin Server before 4.1.2 contains a server-side request forgery vulnerability that allows unauthenticated attackers to register instances with attacker-controlled healthUrl and managementUrl parameters without validation against private IP ranges or metadata endpoints. Attackers can force the server to make HTTP requests to arbitrary internal addresses and retrieve response bodies via the actuator proxy to exfiltrate cloud credentials.

PUBLISHED Reserved 2026-07-13 | Published 2026-07-13 | Updated 2026-07-14 | Assigner VulnCheck




HIGH: 7.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Problem types

Server-Side Request Forgery (SSRF)

Product status

Default status
unaffected

Any version before 4.1.2
affected

Credits

George Chen finder

References

github.com/codecentric/spring-boot-admin/releases/tag/4.1.2 (spring-boot-admin 4.1.2 Release Notes) release-notes patch

github.com/codecentric/spring-boot-admin/issues/5452 (Researcher Disclosure) technical-description exploit issue-tracking

github.com/codecentric/spring-boot-admin/pull/5464 (Pull Request) issue-tracking patch

github.com/...ommit/1f991ea013e46360b8f8fb63fe4ad20a9bf0d551 (Patch Commit) patch

www.vulncheck.com/...a-unauthenticated-instance-registration third-party-advisory

cve.org (CVE-2026-62242)

nvd.nist.gov (CVE-2026-62242)

Download JSON