{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-47825", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "state": "PUBLISHED", "assignerShortName": "vmware", "dateReserved": "2026-05-20T10:00:48.930Z", "datePublished": "2026-06-15T19:34:29.601Z", "dateUpdated": "2026-06-23T19:55:27.065Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-06-23T19:55:27.065Z"}, "title": "Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies in certain situations", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-346", "description": "CWE-346: Origin Validation Error", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Per CVSS v3.1: Integrity HIGH (header spoofing from untrusted proxy sources)."}]}], "affected": [{"vendor": "Spring", "product": "Spring Cloud Gateway", "versions": [{"status": "affected", "version": "3.1.0", "lessThan": "3.1.13", "versionType": "custom"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.13", "versionType": "custom"}, {"status": "affected", "version": "4.2.0", "lessThan": "4.2.9", "versionType": "custom"}, {"status": "affected", "version": "4.3.0", "lessThan": "4.3.4.1", "versionType": "custom"}, {"status": "affected", "version": "5.0.0", "lessThan": "5.0.1.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers.\n\nAffected versions:\nSpring Cloud Gateway 3.1.x (fix 3.1.13).\nSpring Cloud Gateway 4.1.x (fix 4.1.13).\nSpring Cloud Gateway 4.2.x (fix 4.2.9).\nSpring Cloud Gateway 4.3.x (fix 4.3.5).\nSpring Cloud Gateway 5.0.x (fix 5.0.2).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers.\n\nAffected versions:\nSpring Cloud Gateway 3.1.x (fix 3.1.13).\nSpring Cloud Gateway 4.1.x (fix 4.1.13).\nSpring Cloud Gateway 4.2.x (fix 4.2.9).\nSpring Cloud Gateway 4.3.x (fix 4.3.5).\nSpring Cloud Gateway 5.0.x (fix 5.0.2)."}]}], "references": [{"url": "https://spring.io/security/cve-2026-47825"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 8.6, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-16T14:15:33.149410Z", "id": "CVE-2026-47825", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-16T14:15:41.222Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-47825", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-16T14:15:33.149410Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-16T14:15:37.972Z"}}], "cna": {"title": "Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies in certain situations", "source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Per CVSS v3.1: Integrity HIGH (header spoofing from untrusted proxy sources)."}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Spring", "product": "Spring Cloud Gateway", "versions": [{"status": "affected", "version": "3.1.0", "lessThan": "3.1.13", "versionType": "custom"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.13", "versionType": "custom"}, {"status": "affected", "version": "4.2.0", "lessThan": "4.2.9", "versionType": "custom"}, {"status": "affected", "version": "4.3.0", "lessThan": "4.3.5", "versionType": "custom"}, {"status": "affected", "version": "5.0.0", "lessThan": "5.0.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://spring.io/security/cve-2026-47825"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers.\n\nAffected versions:\nSpring Cloud Gateway 3.1.x (fix 3.1.13).\nSpring Cloud Gateway 4.1.x (fix 4.1.13).\nSpring Cloud Gateway 4.2.x (fix 4.2.9).\nSpring Cloud Gateway 4.3.x (fix 4.3.5).\nSpring Cloud Gateway 5.0.x (fix 5.0.2).", "supportingMedia": [{"type": "text/html", "value": "Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers.\n\nAffected versions:\nSpring Cloud Gateway 3.1.x (fix 3.1.13).\nSpring Cloud Gateway 4.1.x (fix 4.1.13).\nSpring Cloud Gateway 4.2.x (fix 4.2.9).\nSpring Cloud Gateway 4.3.x (fix 4.3.5).\nSpring Cloud Gateway 5.0.x (fix 5.0.2).", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346: Origin Validation Error"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2026-06-15T19:34:29.601Z"}}}, "cveMetadata": {"cveId": "CVE-2026-47825", "state": "PUBLISHED", "dateUpdated": "2026-06-16T14:15:41.222Z", "dateReserved": "2026-05-20T10:00:48.930Z", "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "datePublished": "2026-06-15T19:34:29.601Z", "assignerShortName": "vmware"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers.\n\nAffected versions:\nSpring Cloud Gateway 3.1.x (fix 3.1.13).\nSpring Cloud Gateway 4.1.x (fix 4.1.13).\nSpring Cloud Gateway 4.2.x (fix 4.2.9).\nSpring Cloud Gateway 4.3.x (fix 4.3.5).\nSpring Cloud Gateway 5.0.x (fix 5.0.2)."}], "id": "CVE-2026-47825", "lastModified": "2026-06-16T15:23:55.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security@vmware.com", "type": "Secondary"}]}, "published": "2026-06-15T21:17:13.650", "references": [{"source": "security@vmware.com", "url": "https://spring.io/security/cve-2026-47825"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "security@vmware.com", "type": "Secondary"}]}

{"bugzilla": {"description": "spring-cloud-gateway: Spring Cloud Gateway Server: Security bypass due to untrusted header forwarding", "id": "2489050", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489050"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "draft"}, "cwe": "CWE-501", "details": ["A flaw was found in Spring Cloud Gateway Server. In certain configurations, the server improperly forwards X-Forwarded-For and Forwarded headers received from untrusted proxies. This vulnerability affects both WebMVC and WebFlux Gateway Servers, potentially allowing an attacker to manipulate the perceived client origin or bypass security controls by injecting malicious header information."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, configure Spring Cloud Gateway Server to explicitly trust only known and secure proxy servers. Review existing configurations to ensure that X-Forwarded-For and Forwarded headers are processed exclusively from trusted sources. If these headers are not essential for application functionality, consider configuring the gateway to strip them from incoming requests. Consult official Spring Cloud Gateway documentation for detailed instructions on proxy configuration and header management."}, "name": "CVE-2026-47825", "package_state": [{"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "opentelemetry-javaagent-spring-cloud-gateway-2.0", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "spring-cloud-gateway-core", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-06-15T19:34:29Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-47825\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-47825\nhttps://spring.io/security/cve-2026-47825"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.1.0,3.1.13)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.1.0,4.1.13)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.2.0,4.2.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.3.0,4.3.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "spring_cloud_gateway", "vendor": "spring"}], "created": "2026-06-16T23:45:14.507918+00:00", "updated": "2026-06-19T09:39:48.247876+00:00", "vendors": ["spring", "spring$PRODUCT$spring_cloud_gateway"]}