CVE-2026-22750: SSL Configuration Error in Spring Cloud Gateway

CVE-2026-22750: SSL Configuration Error in Spring Cloud Gateway

First seen 13 Apr 2026, 15:30 UTC Heise.Despring.io 84% similarity 57.8

Article Content

Browse articles
ThreatCluster

A vulnerability (CVE-2026-22750) was identified in VMware Tanzu Spring Cloud Gateway, where SSL configurations using the property spring.ssl.bundle were ignored, leading to the use of default SSL settings. This issue affects users of Spring Cloud Gateway 4.2.0 and earlier versions, potentially compromising security if administrators make critical changes that are not applied. The vulnerability was reported by Otmane Omry and has been classified as 'high' severity. A patch has been released in version 4.2.1, but it is only available to enterprise customers. Users are advised to upgrade to supported versions 5.0.2 or 5.1.1. No active exploitation has been reported as of now. The vulnerability was published on April 10, 2026.

Key Points: • CVE-2026-22750 affects SSL configuration in Spring Cloud Gateway. • The vulnerability allows default SSL settings to be used instead of custom configurations. • A patch is available for enterprise users; others should upgrade to versions 5.0.2 or 5.1.1.

ThreatCluster AI

Timeline

2026-04-10
CVE-2026-22750 published
2026-04-13
Articles published detailing the vulnerability and patch

Community

Browse all →