View all Vulnerabilities

CVE-2026-22750

Cryptographic Weakness
Affects
Spring Cloud Gateway
in
Spring
No items found.
Versions
4.2.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

CVE-2026-22750

NVD entry not available yet.

Vulnerability Details

FieldValueCVE IDCVE-2026-22750PROJECT AFFECTEDSpring Cloud GatewayVERSIONS AFFECTED< NES For Spring v4.2.8FIXED INNES For Spring v4.2.8~ FIX DATEunknownSEVERITYUNKNOWNCATEGORYNot classified

Overview

Spring Cloud Gateway is a library built on top of the Spring ecosystem that provides API gateway functionality for microservices architectures. It handles routing, load balancing, and cross-cutting concerns such as security, monitoring, and resiliency for downstream services. Starting with version 4.2.0, Spring Cloud Gateway added support for Spring Boot's SSL Bundles : a centralized way to configure SSL/TLS trust material (keystores, truststores, and certificates) using the spring.ssl.bundle configuration property.This feature allows administrators to define named bundles of SSL settings and reference them across the application, simplifying mutual TLS (mTLS) setups and custom certificate chain management.

This vulnerability affects applications using Spring Cloud Gateway 4.2.0 that configure SSL bundles via spring.ssl.bundle properties. The problem is that a wrong condition in the auto-configuration logic causes the SSL bundle to be silently ignored. The gateway falls back to the JVM's default SSL context without logging any warning, leaving administrators with a false sense of security.

Details

Module Info

  • Product: Spring Cloud Gateway
  • Affected packages: spring-cloud-gateway-server
  • Affected versions: < NES For Spring v4.2.8
  • GitHub repository:
  • Published packages: https://central.sonatype.com/artifact/org.springframework.cloud/spring-cloud-gateway-server
  • Package manager: Maven
  • Fixed In: NES For Spring v4.2.8

Vulnerability Info

A vulnerability (CVE-2026-22750) exists in Spring Cloud Gateway's handling of SSL bundle configuration. When configuring SSL bundles using the spring.ssl.bundle configuration property, the gateway silently ignores the configuration and falls back to the default SSL configuration instead. This is an instance of Not Failing Securely (CWE-636), where the application fails to enforce a security-critical configuration and instead reverts to a weaker default without alerting the user.

In this case, an administrator who has explicitly configured custom SSL bundles - for example, to enforce mutual TLS (mTLS), use specific trust stores, or restrict certificate authorities - would unknowingly be operating with the JVM's default SSL configuration. This creates a false sense of security: the configuration appears to be in place, but the gateway is not actually applying it.

The root cause is a wrong condition check in the SSL bundle auto-configuration logic introduced in version 4.2.0. The conditional expression that determines whether to apply the SSL bundle configuration evaluates incorrectly, causing the custom bundle to be skipped entirely. Because the fallback is silent (no warning or error is logged), the issue can go undetected in production environments.

An attacker positioned on the network path between the gateway and downstream services could potentially exploit this to:

  • Intercept traffic that was intended to be protected by a specific certificate chain
  • Bypass mutual TLS requirements that were configured but not enforced
  • Access services that were meant to be restricted to clients presenting specific certificates

Mitigation

Users of the affected components should apply the following mitigation:

  • Upgrade to Spring Cloud Gateway 4.2.1 or newer.

Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-22750
PROJECT Affected
Spring Cloud Gateway
Versions Affected
4.2.0
NES Versions Affected
Published date
April 9, 2026
≈ Fix date
December 16, 2024
Fixed in
NES for Spring
Category
Cryptographic Weakness
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.