Home
HIGH: 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:NDefault status
unaffected
3.1.0 (custom) before 3.1.13
affected
4.1.0 (custom) before 4.1.13
affected
4.2.0 (custom) before 4.2.9
affected
4.3.0 (custom) before 4.3.5
affected
5.0.0 (custom) before 5.0.2
affected
Description
Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.1.x (fix 3.1.13). Spring Cloud Gateway 4.1.x (fix 4.1.13). Spring Cloud Gateway 4.2.x (fix 4.2.9). Spring Cloud Gateway 4.3.x (fix 4.3.5). Spring Cloud Gateway 5.0.x (fix 5.0.2).
Problem types
CWE-346: Origin Validation Error
Product status
3.1.0 (custom) before 3.1.13
4.1.0 (custom) before 4.1.13
4.2.0 (custom) before 4.2.9
4.3.0 (custom) before 4.3.5
5.0.0 (custom) before 5.0.2
References
spring.io/security/cve-2026-47825