SecuriTricks - CVE-2026-22750

Description

When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead. Note: The 4.2.x branch is no longer under open source support. If you are using Spring Cloud Gateway 4.2.0 and are not an enterprise customer, you can upgrade to any Spring Cloud Gateway 4.2.x release newer than 4.2.0 available on Maven Centeral https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-gateway/ . Ideally if you are not an enterprise customer, you should be upgrading to 5.0.2 or 5.1.1 which are the current supported open source releases.

Product(s) Impacted

Vendor	Product	Versions
Spring	Cloud Gateway	4.2.0, 5.0.2, 5.1.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-15

External Control of System or Configuration Setting

One or more system settings or configuration elements can be externally controlled by a user.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	spring	cloud_gateway	4.2.0	/	/	/	/	/	/	/
a	spring	cloud_gateway	5.0.2	/	/	/	/	/	/	/
a	spring	cloud_gateway	5.1.1	/	/	/	/	/	/	/

References

https://spring.io/security/cve-2026-22750

CVSS Score

7.5 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: HIGH
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

View Vector String

Timeline

Published: April 10, 2026, 8:16 a.m.
Last Modified: April 10, 2026, 1:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-22750