Configuration in Spring Cloud Gateway - CVE-2026-22750
Published: April 9, 2026
Vulnerability identifier: #VU125720
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-22750
CWE-ID: CWE-16
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: VMware, Inc
Affected software:
Spring Cloud Gateway
Spring Cloud Gateway
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper security configuration in SSL bundle configuration handling when processing the spring.ssl.bundle configuration property. A remote attacker can exploit the use of the default SSL configuration to disclose sensitive information.
The configured SSL bundle is silently ignored and the default SSL configuration is used instead.
How to mitigate CVE-2026-22750
Install security update from vendor's website.