Spring Gateway exposes TLS traffic (CVE-2026-22750)

Vendor-confirmed - CVE-2026-22750 is a high-severity misconfiguration in Spring Cloud Gateway 4.2.0 that grants attackers man-in-the-middle leverage by silently ignoring administrator-defined SSL/TLS certificates and reverting to weaker defaults. Upgrade to version 5.0.2 or 5.1.1 immediately to enforce your intended security profile.

Overview

A high-severity misconfiguration vulnerability (CVE-2026-22750) exists in Spring Cloud Gateway. When administrators use the spring.ssl.bundle configuration property to set up custom SSL/TLS certificates, the gateway silently ignores this configuration and falls back to its default SSL settings instead. This failure occurs without any warning or error in the application logs.

Affected Versions

The vulnerability specifically affects Spring Cloud Gateway 4.2.0. The 4.2.x branch is no longer under open-source support. Users are strongly advised to check their deployment version immediately.

Impact and Risk

This flaw has a CVSS score of 7.5 (High). Because the intended custom SSL configuration is ignored, the gateway may establish connections using weaker, default cryptographic settings or incorrect certificates. This could lead to several security risks, including:

• The potential for man-in-the-middle (MITM) attacks if traffic is not encrypted as intended.
• Connection failures or warnings if the default certificates are not trusted by connecting clients or backend services.
• A false sense of security, as administrators believe a specific, stronger security profile is active when it is not.

The attack vector is network-based, requires no privileges or user interaction, and is straightforward to trigger by making a request to the misconfigured gateway. However, its EPSS score is currently 0.0%, indicating a very low probability of active exploitation in the next 30 days. It is a significant configuration integrity issue rather than an actively attacked flaw.

Remediation and Mitigation

The primary remediation is to upgrade the affected software.

• For users of Spring Cloud Gateway 4.2.0 (non-enterprise): Upgrade to any newer version in the 4.2.x series available on Maven Central. Note that this branch is not supported.
• Recommended Upgrade Path: All users, especially those without enterprise support, should upgrade to a currently supported open-source release: Spring Cloud Gateway 5.0.2 or 5.1.1.
• Verification: After applying any upgrade or configuration change, rigorously test that your intended SSL/TLS configuration is active by inspecting handshakes and ensuring the correct certificates are presented.

For the latest on disclosed vulnerabilities and their context, monitor our security news feed.

Security Insight

This vulnerability highlights a critical class of risk: silent failure in security configuration. Unlike a crash or an error log, the system continues operating, creating a dangerous gap between perceived and actual security posture. It echoes past incidents in other platforms where security settings were ignored without alerting the administrator, emphasizing that verification of security controls is as important as their initial deployment. For ongoing coverage of such systemic issues, review our breach reports for related case studies.

Update - May 2026

As of 2026-05-13, CVE-2026-22750 remains absent from the CISA Known Exploited Vulnerabilities catalog, though defenders should continue monitoring for potential inclusion. The EPSS probability score has increased marginally from 0.00034 (at initial publication) to 0.0005, now sitting at the 16th percentile, suggesting limited but slightly rising exploitation interest.

The vendor has not released a dedicated patch. The previously recommended workaround-explicitly defining spring.cloud.gateway.ssl-bundle in addition to spring.ssl.bundle-remains the advised mitigation. No new related CVEs for Spring Cloud Gateway’s SSL bundle handling have been published since the April advisory.

No confirmed in-the-wild exploitation reports have emerged. However, detection signatures focusing on unexpected default SSL configurations or log entries indicating “using default SSL context despite bundle configuration” are now available in several open-source SIEM rule repositories. Defenders should prioritize scanning Spring Cloud Gateway logs for such anomalies.

Given the low exploit probability and absence of mass exploitation, immediate patching is not urgent, but the workaround should be validated in all affected deployments. Organizations using custom SSL bundles must confirm that the spring.cloud.gateway.ssl-bundle property is explicitly set and that the intended certificates are actively loaded.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs