Description
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers.

Affected versions:
Spring Cloud Gateway 3.1.x (fix 3.1.13).
Spring Cloud Gateway 4.1.x (fix 4.1.13).
Spring Cloud Gateway 4.2.x (fix 4.2.9).
Spring Cloud Gateway 4.3.x (fix 4.3.5).
Spring Cloud Gateway 5.0.x (fix 5.0.2).
Published: 2026-06-15
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Spring Cloud Gateway, used with both WebMVC and WebFlux, incorrectly forwards X-Forwarded-For and Forwarded headers when established behind proxies that are not explicitly trusted. The CVE description notes only that the gateway forwards these headers; based on that, it is inferred that an attacker controlling a malicious proxy can insert or modify these headers to mislead downstream applications. If an application relies on the client IP for access control or other logic, this can lead to bypassing policy checks, user impersonation, and other privilege-escalation scenarios. The flaw corresponds to Missing Authentication for API (CWE-346) and Information Exposure (CWE-501).

Affected Systems

Affected versions include Spring Cloud Gateway 3.1.x (fixed in 3.1.13), 4.1.x (fixed in 4.1.13), 4.2.x (fixed in 4.2.9), 4.3.x (fixed in 4.3.5), and 5.0.x (fixed in 5.0.2). Systems running any of these unpatched releases are vulnerable.

Risk and Exploitability

Based on the description, the likely attack vector is the deployment of a compromised or malicious proxy that can inject forged headers, which does not require special application credentials. The CVSS score of 8.6 indicates a high severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation in the wild as of the last update. The vulnerability is not listed in CISA’s KEV catalog, which means there are no known exploited instances reported.

Generated by OpenCVE AI on June 17, 2026 at 23:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Spring Cloud Gateway to at least the patched versions for the corresponding series (e.g., 3.1.13, 4.1.13, 4.2.9, 4.3.5, or 5.0.2).
  • Configure the gateway to only trust headers from explicitly defined, secure upstream proxies by using the appropriate trusted-proxy settings and disabling forwarding of X-Forwarded-For and Forwarded headers from unknown sources.
  • Restrict the gateway’s exposure to untrusted network segments, ensuring that only internal or VPN-only connections can act as upstream proxies.

Generated by OpenCVE AI on June 17, 2026 at 23:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Spring
Spring spring Cloud Gateway
Vendors & Products Spring
Spring spring Cloud Gateway

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-501
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.1.x (fix 3.1.13). Spring Cloud Gateway 4.1.x (fix 4.1.13). Spring Cloud Gateway 4.2.x (fix 4.2.9). Spring Cloud Gateway 4.3.x (fix 4.3.5). Spring Cloud Gateway 5.0.x (fix 5.0.2).
Title Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies in certain situations
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N'}


Subscriptions

Spring Spring Cloud Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: vmware

Published:

Updated: 2026-06-23T19:55:27.065Z

Reserved: 2026-05-20T10:00:48.930Z

Link: CVE-2026-47825

cve-icon Vulnrichment

Updated: 2026-06-16T14:15:37.972Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-15T21:17:13.650

Modified: 2026-06-16T15:23:55.263

Link: CVE-2026-47825

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-15T19:34:29Z

Links: CVE-2026-47825 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T09:39:48Z

Weaknesses