View all Vulnerabilities

CVE-2026-47825

Authorization Bypass
Affects
Spring Cloud Gateway
in
Spring
No items found.
Versions
<=4.3.4, >=5.0.0 <=5.0.1
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Spring Cloud Gateway is an API gateway built on the Spring ecosystem that routes requests to downstream services and applies cross-cutting concerns such as security, monitoring, and resiliency. It ships two server flavors, one built on Spring WebFlux and one built on Spring WebMVC, and both append standard proxy headers such as Forwarded and X-Forwarded-For to requests they forward.

A high-severity vulnerability (CVE-2026-47825) has been identified in Spring Cloud Gateway. In certain configuration scenarios, both the WebFlux and WebMVC Gateway Servers forward the X-Forwarded-For and Forwarded headers supplied by untrusted clients to downstream services instead of stripping them. A client that connects to the gateway directly can therefore inject arbitrary values for the apparent client IP address, host, and protocol that downstream services receive.

Per OWASP, broken access control occurs when restrictions on what users are allowed to do are not properly enforced, so that an actor is able to act outside of their intended permissions. Downstream services routinely trust forwarded headers from a gateway for IP-based allowlisting, rate limiting, tenant resolution, audit logging, and link generation, so spoofed values can let an attacker bypass IP-based access controls or poison security-relevant records.

This issue affects versions <=4.3.4 and >=5.0.0 <=5.0.1 of Spring Cloud Gateway. Older, unsupported versions are also affected.

Details

Module Info

Vulnerability Info

Spring Cloud Gateway manages proxy headers through ForwardedHeadersFilter and XForwardedHeadersFilter in the WebFlux server, and through ForwardedRequestHeadersFilter and XForwardedRequestHeadersFilter in the WebMVC server. These filters honor the spring.cloud.gateway.trusted-proxies property, which defines a pattern of proxy addresses whose forwarded headers may be trusted.

The protection had two gaps. First, when trusted-proxies was configured and a request arrived from an address that did not match the pattern, the filters declined to append gateway-generated values but returned the incoming headers unchanged, so the untrusted client's own Forwarded and X-Forwarded-For headers were passed through to the downstream service:

if (trustedProxies != null && request.getRemoteAddress() != null
        && !trustedProxies.isTrusted(request.getRemoteAddress().getHostString())) {
    log.trace(LogMessage.format("Remote address not trusted. pattern %s remote address %s", trustedProxies,
            request.getRemoteAddress()));
    return input;
}

Second, when trusted-proxies was not configured at all, the forwarded-header filters were not registered, so nothing removed the incoming headers and they flowed to the backend untouched.

The remediation removes all Forwarded and X-Forwarded-* headers unless something is explicitly configured to allow them through. Requests from proxies that do not match the trusted-proxies pattern now have those headers stripped rather than passed along, and new removal filters (RemoveForwardedHeadersFilter and RemoveXForwardedHeadersFilter in the WebFlux server, with equivalent filters in the WebMVC server) are enabled automatically whenever the corresponding allow filter is not active. In addition, the WebFlux server's NettyServerCustomizer is now disabled by default and must be explicitly re-enabled with the customizer-enabled property if required.

This vulnerability was introduced in 2018 with Spring Cloud Gateway 2.0.

Mitigation

Spring Cloud Gateway 3.0.x, 3.1.x, 4.1.x, and 4.2.x are End-of-Life in open source and have no publicly available fix for this issue; see https://spring.io/projects/spring-cloud-gateway for the support timeline. HeroDevs does not recommend that users attempt to develop and apply their own source patches to End-of-Life software.

The recommended actions are:

  1. Upgrade to a supported, fixed release. The issue is fixed in OSS in Spring Cloud Gateway 4.3.4.1, 4.3.5, 5.0.1.1, and 5.0.2. After upgrading, set spring.cloud.gateway.trusted-proxies to the addresses of proxies you trust, and only re-enable the Netty server customizer via the customizer-enabled property if your deployment requires it.
  2. For End-of-Life lines that cannot be upgraded, HeroDevs Never-Ending Support (NES) for Spring Cloud Gateway is making this fix available as a drop-in replacement that remains compatible with the affected versions. Learn more about HeroDevs Never-Ending Support for Spring Cloud Gateway and request coverage at https://www.herodevs.com/support/spring-nes

Credits

  • samarthd (finder)
Pink arrow
Pink arrow
CVE-2012-5055
CVE-2014-0097
CVE-2018-1000632
CVE-2019-3795
CVE-2019-11272
CVE-2016-1000027
CVE-2020-10683
CVE-2020-5408
CVE-2021-22112
CVE-2022-22950
CVE-2022-22965
CVE-2022-22968
CVE-2022-22971
CVE-2022-22970
CVE-2022-22978
CVE-2022-22976
CVE-2022-22980
CVE-2022-31692
CVE-2023-20861
CVE-2022-27772
CVE-2023-20863
CVE-2023-20862
CVE-2023-20883
CVE-2023-34036
CVE-2024-22234
CVE-2024-22243
CVE-2024-22259
CVE-2024-22262
CVE-2024-38808
CVE-2024-38807
CVE-2024-38809
CVE-2024-38816
CVE-2024-38820
CVE-2024-38821
CVE-2024-38819
CVE-2024-38828
CVE-2024-38827
CVE-2024-38829
CVE-2023-34040
CVE-2025-22228
CVE-2025-22232
CVE-2025-22234
CVE-2025-22235
CVE-2024-22257
CVE-2025-22233
CVE-2025-41235
CVE-2025-41242
CVE-2025-41243
CVE-2025-41249
CVE-2025-41254
CVE-2025-41253
CVE-2024-56128
CVE-2025-27817
CVE-2024-31141
CVE-2023-25194
CVE-2022-22979
CVE-2026-2817
CVE-2026-2818
CVE-2026-22737
CVE-2026-22735
CVE-2026-22733
CVE-2026-22731
CVE-2026-22732
CVE-2022-31690
CVE-2026-22739
CVE-2024-22236
CVE-2022-31679
CVE-2026-22750
CVE-2026-22740
CVE-2026-22741
CVE-2026-22745
CVE-2026-22746
CVE-2026-22748
CVE-2026-22751
CVE-2026-22752
CVE-2026-40974
CVE-2026-40972
CVE-2026-40973
CVE-2026-40975
CVE-2026-40977
CVE-2023-34050
CVE-2023-34055
CVE-2026-40982
CVE-2026-40981
CVE-2026-41002
CVE-2026-41004
CVE-2026-40990
CVE-2026-40989
CVE-2026-40991
CVE-2026-40985
CVE-2026-40986
CVE-2026-40994
CVE-2026-40995
CVE-2026-40996
CVE-2026-40997
CVE-2026-40998
CVE-2026-41006
CVE-2026-41007
CVE-2026-41696
CVE-2026-40987
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-47825
PROJECT Affected
Spring Cloud Gateway
Versions Affected
<=4.3.4, >=5.0.0 <=5.0.1
NES Versions Affected
Published date
June 18, 2026
≈ Fix date
June 15, 2026
Fixed in
NES for Spring
Category
Authorization Bypass
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Spring
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.