CVE-2026-22750: Vulnerability in VMware Spring Cloud Gateway
When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead. Note: The 4.2.x branch is no longer under open source support. If you are using Spring Cloud Gateway 4.2.0 and are not an enterprise customer, you can upgrade to any Spring Cloud Gateway 4.2.x release newer than 4.2.0 available on Maven Centeral https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-gateway/ . Ideally if you are not an enterprise customer, you should be upgrading to 5.0.2 or 5.1.1 which are the current supported open source releases.
AI Analysis
Technical Summary
The vulnerability in Spring Cloud Gateway 4.2.0 involves the improper handling of the spring.ssl.bundle configuration property. When this property is set, it is silently ignored, and the system falls back to the default SSL configuration. This behavior can cause the intended SSL bundle settings to be bypassed, potentially impacting the security posture of applications relying on customized SSL configurations. The issue is specific to version 4.2.0, with later versions in the 4.2.x branch and the 5.x branch providing fixes or improvements. The CVSS 3.1 score is 7.5, indicating a high severity with network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact.
Potential Impact
The impact of this vulnerability is that the intended SSL bundle configuration is not applied, which could allow an attacker to interfere with the integrity of the system's SSL handling. This may lead to scenarios where SSL protections are weaker than expected, potentially enabling man-in-the-middle or other integrity-related attacks. There is no confidentiality or availability impact reported. No known exploits in the wild have been identified.
Mitigation Recommendations
No official patch or remediation level is explicitly provided in the available data. However, the vendor advisory recommends upgrading from version 4.2.0 to any newer 4.2.x release available on Maven Central or preferably to supported open source releases 5.0.2 or 5.1.1. Users should perform these upgrades to ensure the vulnerability is addressed. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
CVE-2026-22750: Vulnerability in VMware Spring Cloud Gateway
Description
When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead. Note: The 4.2.x branch is no longer under open source support. If you are using Spring Cloud Gateway 4.2.0 and are not an enterprise customer, you can upgrade to any Spring Cloud Gateway 4.2.x release newer than 4.2.0 available on Maven Centeral https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-gateway/ . Ideally if you are not an enterprise customer, you should be upgrading to 5.0.2 or 5.1.1 which are the current supported open source releases.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Spring Cloud Gateway 4.2.0 involves the improper handling of the spring.ssl.bundle configuration property. When this property is set, it is silently ignored, and the system falls back to the default SSL configuration. This behavior can cause the intended SSL bundle settings to be bypassed, potentially impacting the security posture of applications relying on customized SSL configurations. The issue is specific to version 4.2.0, with later versions in the 4.2.x branch and the 5.x branch providing fixes or improvements. The CVSS 3.1 score is 7.5, indicating a high severity with network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact.
Potential Impact
The impact of this vulnerability is that the intended SSL bundle configuration is not applied, which could allow an attacker to interfere with the integrity of the system's SSL handling. This may lead to scenarios where SSL protections are weaker than expected, potentially enabling man-in-the-middle or other integrity-related attacks. There is no confidentiality or availability impact reported. No known exploits in the wild have been identified.
Mitigation Recommendations
No official patch or remediation level is explicitly provided in the available data. However, the vendor advisory recommends upgrading from version 4.2.0 to any newer 4.2.x release available on Maven Central or preferably to supported open source releases 5.0.2 or 5.1.1. Users should perform these upgrades to ensure the vulnerability is addressed. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- vmware
- Date Reserved
- 2026-01-09T06:55:03.990Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d8c0ed1cc7ad14daa35358
Added to database: 4/10/2026, 9:20:45 AM
Last enriched: 4/10/2026, 9:36:01 AM
Last updated: 4/11/2026, 6:02:07 AM
Views: 27
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.