diff --git a/java/ql/lib/change-notes/2026-06-30-spring-webclient-uri-ssrf.md b/java/ql/lib/change-notes/2026-06-30-spring-webclient-uri-ssrf.md index f35a3386e72..d0474959b9c 100644 --- a/java/ql/lib/change-notes/2026-06-30-spring-webclient-uri-ssrf.md +++ b/java/ql/lib/change-notes/2026-06-30-spring-webclient-uri-ssrf.md @@ -1,4 +1,4 @@ --- category: minorAnalysis --- -* The `uri` method of Spring's reactive `WebClient` is now considered a request forgery sink. Previously only the `create` and `baseUrl` methods were considered. This may lead to more alerts for the query `java/ssrf` (Server-side request forgery). +* The first argument of the `uri` method of `WebClient$UriSpec` in `org.springframework.web.reactive.function.client` is now considered a request forgery sink. Previously only the first arguments of the `WebClient.create` and `WebClient$Builder.baseUrl` methods were considered. This may lead to more alerts for the query `java/ssrf` (Server-side request forgery).