Skip to main content

Spring Cloud Gateway CVE-2026-47825

| EUVD-2026-37000 HIGH
Origin Validation Error (CWE-346)
2026-06-15 vmware GHSA-hf28-w9wf-5x8m
Java Information Disclosure Spring Cloud Gateway Red Hat
8.6
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
vuln.today AI
6.8 MEDIUM

Network-reachable and unauthenticated, but vendor scopes it to 'certain configuration scenarios' and impact requires a trusting downstream, so AC:H; scope changes to downstream services with integrity-only impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N
Red Hat
7.5 MEDIUM
qualitative

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 15, 2026 - 22:32 EUVD
Analysis Generated
Jun 15, 2026 - 21:53 vuln.today
CVE Published
Jun 15, 2026 - 19:34 cve.org
HIGH 8.6

DescriptionCVE.org

Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers.

Affected versions: Spring Cloud Gateway 3.1.x (fix 3.1.13). Spring Cloud Gateway 4.1.x (fix 4.1.13). Spring Cloud Gateway 4.2.x (fix 4.2.9). Spring Cloud Gateway 4.3.x (fix 4.3.5). Spring Cloud Gateway 5.0.x (fix 5.0.2).

Articles & Coverage 2

News 3 New Java Vulnerabilities - 3 High Severity Jun 16, 2026 News 3 New Java Vulnerabilities - 3 High Severity, No Public Exploits Jun 15, 2026

AnalysisAI

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof client identity by injecting X-Forwarded-For and Forwarded headers that the gateway then forwards from untrusted proxies in certain configuration scenarios. The flaw, tracked as CVE-2026-47825 with a CVSS 3.1 base score of 8.6 (Scope:Changed, Integrity:High), affects Spring Cloud Gateway 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-facing Spring Cloud Gateway
Delivery
Craft request with forged X-Forwarded-For/Forwarded header
Exploit
Send to gateway over HTTP(S)
Execution
Gateway forwards spoofed header downstream
Persist
Downstream service trusts attacker-supplied client IP
Impact
Bypass IP allow-list or pollute audit logs
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the gateway to be reachable by the attacker and configured in one of the scenarios where it forwards X-Forwarded-For and Forwarded headers from untrusted proxies - per the advisory, the flaw is conditional on configuration rather than affecting every default deployment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is meaningful but conditional. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote unauthenticated attacker sends an HTTP request to a vulnerable Spring Cloud Gateway with a forged X-Forwarded-For or Forwarded header claiming to originate from a trusted internal IP. The gateway forwards the spoofed header to a downstream microservice that uses it for IP-based access control, rate limiting, or audit logging, granting the attacker access to admin endpoints or hiding the true source IP in logs. …
Remediation Upgrade to the patched release on your current branch: Spring Cloud Gateway 3.1.13, 4.1.13, 4.2.9, 4.3.5, or 5.0.2, per the vendor advisory at https://spring.io/security/cve-2026-47825. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all systems running Spring Cloud Gateway 3.1.x, 4.1.x, 4.2.x, 4.3.x, or 5.0.x; assess exposure to untrusted proxy sources; review gateway logging for header injection attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-41699 CRITICAL
9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at
CVE-2026-47835 HIGH
8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t
CVE-2026-40999 HIGH
8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al
CVE-2026-40998 HIGH
8.2 Jun 11

XML External Entity (XXE) exposure in Spring Web Services' Jaxp13XPathTemplate allows remote attackers to abuse XPath ev

Vendor StatusVendor

Share

CVE-2026-47825 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy