Spring Gateway exposes TLS traffic (CVE-2026-22750)

Overview

A high-severity misconfiguration vulnerability (CVE-2026-22750) exists in Spring Cloud Gateway. When administrators use the spring.ssl.bundle configuration property to set up custom SSL/TLS certificates, the gateway silently ignores this configuration and falls back to its default SSL settings instead. This failure occurs without any warning or error in the application logs.

Affected Versions

The vulnerability specifically affects Spring Cloud Gateway 4.2.0. The 4.2.x branch is no longer under open-source support. Users are strongly advised to check their deployment version immediately.

Impact and Risk

This flaw has a CVSS score of 7.5 (High). Because the intended custom SSL configuration is ignored, the gateway may establish connections using weaker, default cryptographic settings or incorrect certificates. This could lead to several security risks, including:

• The potential for man-in-the-middle (MITM) attacks if traffic is not encrypted as intended.
• Connection failures or warnings if the default certificates are not trusted by connecting clients or backend services.
• A false sense of security, as administrators believe a specific, stronger security profile is active when it is not.

The attack vector is network-based, requires no privileges or user interaction, and is straightforward to trigger by making a request to the misconfigured gateway. However, its EPSS score is currently 0.0%, indicating a very low probability of active exploitation in the next 30 days. It is a significant configuration integrity issue rather than an actively attacked flaw.

Remediation and Mitigation

The primary remediation is to upgrade the affected software.

• For users of Spring Cloud Gateway 4.2.0 (non-enterprise): Upgrade to any newer version in the 4.2.x series available on Maven Central. Note that this branch is not supported.
• Recommended Upgrade Path: All users, especially those without enterprise support, should upgrade to a currently supported open-source release: Spring Cloud Gateway 5.0.2 or 5.1.1.
• Verification: After applying any upgrade or configuration change, rigorously test that your intended SSL/TLS configuration is active by inspecting handshakes and ensuring the correct certificates are presented.

For the latest on disclosed vulnerabilities and their context, monitor our security news feed.

Security Insight

This vulnerability highlights a critical class of risk: silent failure in security configuration. Unlike a crash or an error log, the system continues operating, creating a dangerous gap between perceived and actual security posture. It echoes past incidents in other platforms where security settings were ignored without alerting the administrator, emphasizing that verification of security controls is as important as their initial deployment. For ongoing coverage of such systemic issues, review our breach reports for related case studies.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs