Spring Cloud Gateway
Monthly
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof client identity by injecting X-Forwarded-For and Forwarded headers that the gateway then forwards from untrusted proxies in certain configuration scenarios. The flaw, tracked as CVE-2026-47825 with a CVSS 3.1 base score of 8.6 (Scope:Changed, Integrity:High), affects Spring Cloud Gateway 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x. No public exploit identified at time of analysis, but the trust-boundary nature of the issue makes it an attractive target for downstream authentication and access-control bypass.
Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof client identity by injecting X-Forwarded-For and Forwarded headers that the gateway then forwards from untrusted proxies in certain configuration scenarios. The flaw, tracked as CVE-2026-47825 with a CVSS 3.1 base score of 8.6 (Scope:Changed, Integrity:High), affects Spring Cloud Gateway 3.1.x, 4.1.x, 4.2.x, 4.3.x, and 5.0.x. No public exploit identified at time of analysis, but the trust-boundary nature of the issue makes it an attractive target for downstream authentication and access-control bypass.