CVE-2026-62242
codecentric · spring-boot-admin
The codecentric Spring Boot Admin Server is susceptible to Server-Side Request Forgery (SSRF) during unauthenticated instance registration.
Executive summary
A critical SSRF vulnerability in the codecentric Spring Boot Admin Server allows unauthenticated attackers to perform malicious requests, necessitating an immediate update.
Vulnerability
This vulnerability (CWE-918) allows an unauthenticated attacker to trigger Server-Side Request Forgery by exploiting the instance registration process. The application fails to properly validate the input provided during the registration phase, enabling the server to make unauthorized requests to internal or external resources.
Business impact
With a CVSS score of 8.6, this vulnerability poses a significant risk to the security of internal networks. An attacker could potentially bypass firewall protections to reach internal services, exfiltrate sensitive configuration data, or interact with private endpoints, resulting in unauthorized access and potential data leakage.
Remediation
Immediate Action: Upgrade the Spring Boot Admin Server to version 4.1.2 or later as provided by codecentric.
Proactive Monitoring: Review application logs for suspicious registration attempts and unexpected outbound network traffic originating from the Admin Server.
Compensating Controls: Implement strict egress filtering on the server host to prevent it from accessing unauthorized internal or external network segments.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Organizations utilizing Spring Boot Admin must treat this as a high-priority security update. Upgrading to 4.1.2 is the only reliable method to remediate the underlying SSRF vulnerability and secure the administration server against unauthorized exploitation.