CVE-2026-22750: How to Detect and Remediate the Spring Cloud Gateway 4.2.0 SSL Bundle Bypass

Spring Cloud Gateway 4.2.0 contains a high-severity vulnerability in which SSL bundle configuration set via spring.ssl.bundle is silently ignored at runtime. The gateway falls back to its default SSL configuration with no warning, no error, and no indication that the property was never applied. CVE-2026-22750 carries a CVSS 3.1 base score of 8.6 High (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L) as scored by NVD.

Only Spring Cloud Gateway 4.2.0 is affected. A fix exists. Whether you need to act depends entirely on which version and support tier you are running. The purpose of this post is to provide clarity on how/when action is required for CVE-2026-22750 - Spring Cloud Gateway 4.2.0 vulnerability.

‍

TL;DR: Where you stand

‍

Who is affected by CVE-2026-22750?

The answer depends on two factors: your version and whether you configured spring.ssl.bundle.

You are NOT currently exposed if the property is absent. However, any future use of spring.ssl.bundle on 4.2.0 would be silently ignored and introduce risk:

• You are running Spring Cloud Gateway 4.2.1+. These branches are not affected by this CVE.
• You are a HeroDevs NES customer on the 4.2.x version. The HeroDevs NES fork is currently at 4.2.7, which inherits the fix from 4.2.1. You are already covered. No action required.
• You are on 4.2.0 but have never configured spring.ssl.bundle. If the property is absent, the default JVM SSL context was in use from the start. There is no configuration gap to exploit.

‍

You ARE affected if all of the following are true:

• You are running Spring Cloud Gateway 4.2.0
• You have configured spring.ssl.bundle in your application properties

If this describes your deployment, your custom SSL configuration has never been active. The gateway has been routing upstream traffic using the JVM's default SSL context since you deployed 4.2.0.

‍

‍

What "silently ignored" means in practice

This is the category of vulnerability that configuration reviews miss because nothing looks wrong. spring.ssl.bundle accepts a value, the application starts, logs are clean, and routing works. There is no error, no deprecation warning, no startup failure. The configuration appears to be active. It is not.

At runtime, Spring Cloud Gateway 4.2.0 constructs the referenced SSL bundle object but never wires it into the Netty HTTP client that handles upstream connections. All gateway-to-upstream TLS connections use the default JVM SSL context. The gap between "configured" and "applied" is invisible without inspecting actual TLS handshakes.

Depending on what your SSL bundle was intended to enforce, the operational exposure varies:

Custom CA trust. If you configured a private or internal CA to validate upstream service certificates, the gateway is using the JVM default CA bundle instead. Upstream services presenting certificates from your internal CA may fail, or the gateway may trust CAs you did not intend.

Mutual TLS. If your gateway was supposed to present client certificates to upstream services requiring mTLS authentication, those certificates are not being presented. Services that should enforce mTLS are operating without it.

Cipher restrictions and TLS version policy. Security hardening applied through the bundle (disabling weak ciphers, restricting to TLS 1.3, removing deprecated protocol versions) is not in effect. Your gateway may be negotiating TLS sessions it was explicitly configured to reject.

Compliance documentation. If your SSL bundle configuration was documented as a security control for SOC 2, PCI DSS, HIPAA, or FedRAMP, that documentation describes a configuration that was never running. The gap between your architecture diagram and your actual runtime state is a material finding in any control audit.

‍

Technical detail

Root cause: Spring Cloud Gateway 4.2.0 reads the spring.ssl.bundle configuration property and constructs the referenced SSL bundle object, but does not apply it to the HttpClient used by the gateway's routing infrastructure. The wiring step that would pass the SSL context to the reactive HTTP client is missing.

The issue originated as a code defect in the 4.2.0 release: SSL bundle integration was implemented at the configuration layer but not carried through to the transport layer. It was reported as a bug, a fix was applied, and the issue was formally assigned CVE-2026-22750 after active exploitation of the configuration gap was discovered.

CVSS 3.1 base score: 8.6 High. Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L. The High confidentiality impact reflects scenarios where the absence of enforced mTLS or CA trust allows interception of gateway-to-upstream traffic. NVD scores this 8.6 High; the Spring advisory labels it Medium. NVD's assessment reflects the deployment impact more accurately for most production environments.

Reported by: Otmane Omry (@otmaneomry).

REF: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L&version=3.1

‍

Remediation for teams on Spring Cloud Gateway 4.2.0 

If you are a HeroDevs NES customer or on an open-source version of 4.2.1 or greater, you are already covered. The paths below apply to teams running open-source version 4.2.0:

Option 1: Upgrade to Open Source Spring Cloud Gateway 4.2.1 or later

This is the OSS remediation path. 4.2.1 and later currently are supported open source releases and are not affected by CVE-2026-22750. 

Option 2: HeroDevs NES for Spring Cloud Gateway

HeroDevs NES provides a remediated package path, in version 4.2.7, for EOL Spring components. 

Contact HeroDevs to learn about NES for Spring

‍

Frequently asked questions about CVE-2026-22750

Is there a free OSS fix in the 4.2.x branch?

Yes. The 4.2.x branch has an open source security support via 4.2.1. 

‍

I'm a HeroDevs NES customer. Do I need to do anything?

No. The HeroDevs NES fork is at 4.2.7 and includes the fix. You are already covered.

‍

Exactly which version is affected?

Spring Cloud Gateway 4.2.0 only. 4.2.1 and later.

‍

Am I affected if I'm not using spring.ssl.bundle?

No. The vulnerability is specifically in how the spring.ssl.bundle property is processed at runtime. If you have not configured this property, the default JVM SSL context was in use from the start and there is no gap.

‍

How do I confirm whether I'm exposed?

Search your build files for a single case, “Spring Cloud Server 4.2.0” 

‍

Will this show up in Snyk, Tenable, or other scanners?

Yes, once CVE-2026-22750 is indexed in NVD and OSV, scanners will flag Spring Cloud Gateway 4.2.0.

‍

Does this affect Spring Boot's SSL bundle support outside of Spring Cloud Gateway?

No. This is a Spring Cloud Gateway-specific wiring issue between the SSL bundle configuration and the Netty HTTP client. Spring Boot's spring.ssl.bundle support in non-gateway contexts is not affected.

‍

Taking action

If you are running Spring Cloud Gateway 4.2.0 without either of those support tiers and you have spring.ssl.bundle configured, your custom SSL settings have not been enforced since deployment. The OSS fix requires upgrading to Spring Cloud Gateway 4.2.1. For teams that cannot complete that migration in the near term, HeroDevs NES provides a remediated package.

Contact HeroDevs to learn about NES for Spring

Related vulnerabilities:

• Vulnerability Directory entry for CVE-2026-22750
• CVE-2026-22732: Spring Security silently drops HTTP security headers
• CVE-2026-22739: Spring Cloud Config profile substitution enables SSRF