VYPR
Get started
← All advisories
High severity7.5NVD Advisory· Published Apr 10, 2026· Updated Apr 13, 2026

CVE-2026-22750

CVE-2026-22750

Description

When configuring SSL bundles in Spring Cloud Gateway by using the configuration property spring.ssl.bundle, the configuration was silently ignored and the default SSL configuration was used instead. Note: The 4.2.x branch is no longer under open source support. If you are using Spring Cloud Gateway 4.2.0 and are not an enterprise customer, you can upgrade to any Spring Cloud Gateway 4.2.x release newer than 4.2.0  available on Maven Centeral https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-gateway/ . Ideally if you are not an enterprise customer, you should be upgrading to 5.0.2 or 5.1.1 which are the current supported open source releases.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.springframework.cloud:spring-cloud-gatewayMaven
>= 4.2.0, < 4.2.14.2.1

Patches

1
84009f2ee421

Ssl bundles not working because of wrong condition (#3641)

https://github.com/spring-cloud/spring-cloud-gatewayDimitar PopovDec 16, 2024via ghsa
commit
3 files changed · +77 4
  • spring-cloud-gateway-server/src/main/java/org/springframework/cloud/gateway/config/AbstractSslConfigurer.java+1 4 modified
    @@ -67,10 +67,7 @@ protected HttpClientProperties.Ssl getSslProperties() {
 	}
 
 	protected SslBundle getBundle() {
-		if (ssl.getSslBundle() == null || ssl.getSslBundle().length() > 0) {
-			return null;
-		}
-		if (bundles.getBundleNames().contains(ssl.getSslBundle())) {
+		if (ssl.getSslBundle() != null && ssl.getSslBundle().length() > 0 && bundles.getBundleNames().contains(ssl.getSslBundle())) {
 			return bundles.getBundle(ssl.getSslBundle());
 		}
 		return null;
  • spring-cloud-gateway-server/src/test/java/org/springframework/cloud/gateway/test/ssl/ClientCertAuthSSLBundleTests.java+33 0 added
    @@ -0,0 +1,33 @@
+package org.springframework.cloud.gateway.test.ssl;
+
+import io.netty.handler.ssl.SslContextBuilder;
+import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
+import org.junit.jupiter.api.BeforeEach;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.ssl.SslBundles;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.http.client.reactive.ReactorClientHttpConnector;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.context.ActiveProfiles;
+import reactor.netty.http.client.HttpClient;
+
+import static org.springframework.boot.test.context.SpringBootTest.WebEnvironment.RANDOM_PORT;
+
+@SpringBootTest(webEnvironment = RANDOM_PORT)
+@DirtiesContext
+@ActiveProfiles("client-auth-ssl-bundle")
+public class ClientCertAuthSSLBundleTests extends SingleCertSSLTests {
+	@Autowired
+	private SslBundles sslBundles;
+
+	@BeforeEach
+	public void setup() throws Exception {
+		final var sslBundle = sslBundles.getBundle("scg-keystore-with-different-key-password");
+		final var sslContext = SslContextBuilder.forClient()
+				.trustManager(InsecureTrustManagerFactory.INSTANCE)
+				.keyManager(sslBundle.getManagers().getKeyManagerFactory())
+				.build();
+		HttpClient httpClient = HttpClient.create().secure(ssl -> ssl.sslContext(sslContext));
+		setup(new ReactorClientHttpConnector(httpClient), "https://localhost:" + port);
+	}
+}
  • spring-cloud-gateway-server/src/test/resources/application-client-auth-ssl-bundle.yml+43 0 added
    @@ -0,0 +1,43 @@
+test:
+  uri: lb:https://testservice
+
+server:
+  ssl:
+    enabled: true
+    key-alias: scg
+    key-store-password: scg1234
+    key-password: keyscg1234
+    key-store: classpath:scg-keystore-with-different-key-password.jks
+    trust-store: classpath:scg-truststore.jks
+    trust-store-password: scg1234
+    trust-store-type: JKS
+    key-store-type: JKS
+    client-auth: Need
+spring:
+  cloud:
+    gateway:
+      httpclient:
+        ssl:
+          ssl-bundle: scg-keystore-with-different-key-password
+          trustedX509Certificates:
+          - src/test/resources/single-cert-for-different-key-password.pem
+      default-filters:
+      - PrefixPath=/httpbin
+      routes:
+      - id: default_path_to_httpbin
+        uri: ${test.uri}
+        order: 10000
+        predicates:
+        - name: Path
+          args:
+            pattern: /**
+  ssl:
+    bundle:
+      jks:
+        scg-keystore-with-different-key-password:
+          key:
+            password: keyscg1234
+          keystore:
+            type: JKS
+            location: classpath:scg-keystore-with-different-key-password.jks
+            password: scg1234
\ No newline at end of file

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.