CVE-2026-22750
Published: 10 April 2026
Summary
CVE-2026-22750 is a high-severity External Control of System or Configuration Setting (CWE-15) vulnerability in Spring Cloud Gateway (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identifying, reporting, and correcting software flaws like CVE-2026-22750 through timely patching or upgrading vulnerable Spring Cloud Gateway versions.
Requires vulnerability scanning and monitoring to identify deployments of affected Spring Cloud Gateway 4.2.x versions, enabling remediation.
Ensures secure SSL bundle configuration settings are defined, implemented, and verified, revealing the ignored custom property and insecure default fallback.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of a public-facing Spring Cloud Gateway application due to ignored SSL configuration, directly enabling initial access via public-facing app exploitation with integrity impact on transit data.
NVD Description
When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead. Note: The 4.2.x branch is no longer under open source support. If you…
more
are using Spring Cloud Gateway 4.2.0 and are not an enterprise customer, you can upgrade to any Spring Cloud Gateway 4.2.x release newer than 4.2.0 available on Maven Centeral https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-gateway/ . Ideally if you are not an enterprise customer, you should be upgrading to 5.0.2 or 5.1.1 which are the current supported open source releases.
Deeper analysisAI
CVE-2026-22750 is a vulnerability in Spring Cloud Gateway where the configuration property spring.ssl.bundle for SSL bundles is silently ignored, causing the application to fall back to the default SSL configuration instead. This issue primarily affects the 4.2.x branch, including version 4.2.0, which is no longer under open source support. The vulnerability is classified under CWE-15 (External Control of System or Configuration Setting) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high severity due to its network accessibility and integrity impact.
Remote, unauthenticated attackers can exploit this vulnerability with low complexity and no user interaction. By leveraging the ignored custom SSL bundle configuration, attackers can achieve high integrity impact, potentially allowing unauthorized modification of data in transit or related to the gateway's SSL handling.
The Spring advisory at https://spring.io/security/cve-2026-22750 recommends upgrading from Spring Cloud Gateway 4.2.0 to any newer 4.2.x release available on Maven Central (https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-gateway/). For non-enterprise users, the ideal mitigation is to upgrade to the supported open source releases 5.0.2 or 5.1.1.
Details
- CWE(s)