CVE-2026-47825: Security Advisory

CVE: CVE-2026-47825 CVSS 8.6

CVE-2026-47825 is a high-severity vulnerability (CVSS 8.6).

Summary

Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers.

Affected versions: Spring Cloud Gateway 3.1.x (fix 3.1.13). Spring Cloud Gateway 4.1.x (fix 4.1.13). Spring Cloud Gateway 4.2.x (fix 4.2.9). Spring Cloud Gateway 4.3.x (fix 4.3.5). Spring Cloud Gateway 5.0.x (fix 5.0.2).

Remediation

Apply the vendor’s update during your next patch window and verify exposure. Patch-management tools that can deploy and verify the fix include Action1, Automox, ManageEngine Patch Manager Plus, ManageEngine Endpoint Central. See our best patch management ranking.

Sources

Data as of June 16, 2026. Sources: nvd.nist.gov, spring.io. Figures are pulled from public vendor and security data and refreshed automatically.