CVE-2026-47825
8.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Summary
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers.
Affected versions: Spring Cloud Gateway 3.1.x (fix 3.1.13). Spring Cloud Gateway 4.1.x (fix 4.1.13). Spring Cloud Gateway 4.2.x (fix 4.2.9). Spring Cloud Gateway 4.3.x (fix 4.3.5). Spring Cloud Gateway 5.0.x (fix 5.0.2).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Spring | Spring Cloud Gateway | 3.1.0 < 3.1.13 | affected |
| Spring | Spring Cloud Gateway | 4.1.0 < 4.1.13 | affected |
| Spring | Spring Cloud Gateway | 4.2.0 < 4.2.9 | affected |
| Spring | Spring Cloud Gateway | 4.3.0 < 4.3.4.1 | affected |
| Spring | Spring Cloud Gateway | 5.0.0 < 5.0.1.1 | affected |
Weaknesses
- CWE-346: CWE-346: Origin Validation Error
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.