Back

CVE-2026-22750: SSL Configuration Error in Spring Cloud Gateway

Severity: Medium (Score: 57.8)

Sources: spring.io, Heise.De

Summary

A vulnerability (CVE-2026-22750) was identified in VMware Tanzu Spring Cloud Gateway, where SSL configurations using the property spring.ssl.bundle were ignored, leading to the use of default SSL settings. This issue affects users of Spring Cloud Gateway 4.2.0 and earlier versions, potentially compromising security if administrators make critical changes that are not applied. The vulnerability was reported by Otmane Omry and has been classified as 'high' severity. A patch has been released in version 4.2.1, but it is only available to enterprise customers. Users are advised to upgrade to supported versions 5.0.2 or 5.1.1. No active exploitation has been reported as of now. The vulnerability was published on April 10, 2026. Key Points: • CVE-2026-22750 affects SSL configuration in Spring Cloud Gateway. • The vulnerability allows default SSL settings to be used instead of custom configurations. • A patch is available for enterprise users; others should upgrade to versions 5.0.2 or 5.1.1.

Key Entities

  • CVE-2026-22750 (cve)
  • Apache Tomcat (platform)
  • OpenJDK (platform)
  • Spring Cloud Gateway (platform)
  • VMware Tanzu Spring Cloud Gateway (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed