HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47825Published Modified CNA vmware

CVE-2026-47825: Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies in certain situations

Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies in certain configuration scenarios. This affects both the WebMVC and WebFlux Gateway Servers. Affected versions: Spring Cloud Gateway 3.1.x (fix 3.1.13). Spring Cloud Gateway 4.1.x (fix 4.1.13). Spring Cloud Gateway 4.2.x (fix 4.2.9). Spring Cloud Gateway 4.3.x (fix 4.3.5). Spring Cloud Gateway 5.0.x (fix 5.0.2).

Metrics

CVSS v3.1
8.6
Severity
HIGH
Fixed in
3.1.13
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A header-forwarding vulnerability affects Spring Cloud Gateway Server (both WebMVC and WebFlux variants) across multiple release lines. The gateway incorrectly forwards X-Forwarded-For and Forwarded headers originating from untrusted proxies to upstream services, which can let an attacker spoof their source IP address or manipulate routing and access-control logic that depends on those headers. Exploitation requires no authentication and is reachable over the network, enabling an attacker to tamper with integrity-sensitive header values seen by downstream services. Patched-image rebuilds at versions 3.1.13, 4.1.13, 4.2.9, 4.3.5, and 5.0.2 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-47825 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle Spring Cloud Gateway.

Available
Triage

Triage is available with the full CVSS v3.1 context, scoring this issue at 8.6 HIGH, weighted further against each customer organization's per-environment compliance policy and routed to the appropriate team inbox based on configured ownership rules.

Available
Patch

A patched-image rebuild at each applicable fix version (3.1.13, 4.1.13, 4.2.9, 4.3.5, or 5.0.2) becomes available on HarborGuard as soon as the base image resolves to an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Spring Cloud Gateway service over the network to inject or manipulate forwarding headers.

  • AuthenticationNot required

    No account or credential is needed; the attack can be carried out by any unauthenticated network client.

  • Victim interactionNot required

    No user action is required; the gateway processes the malicious headers automatically upon receiving the request.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable, requiring no race conditions, memory layout knowledge, or other environmental factors.

Blast Radius

  • An attacker can inject a forged X-Forwarded-For or Forwarded header that upstream services receive as authoritative, bypassing IP-based access controls or allow-lists.
  • Rate-limiting, geo-restriction, or fraud-detection logic that trusts these headers can be defeated, allowing the attacker to masquerade as a trusted network source.
  • Audit and access logs populated from forwarding headers record the spoofed address rather than the real origin, undermining forensic accuracy.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47825 activates the moment the advisory is ingested, flagging any image in a customer registry or build pipeline that bundles an affected Spring Cloud Gateway version (3.1.x before 3.1.13, 4.1.x before 4.1.13, 4.2.x before 4.2.9, 4.3.x before 4.3.5, or 5.0.x before 5.0.2). For customers who opt into auto-remediation, HarborGuard rebuilds the image at the appropriate fix version, executes the configured regression test suite, and opens a pull request against affected workloads; for high-severity issues the median time from CVE publication to merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy requires manual approval, the rebuilt image and a detailed triage report are staged and routed to the responsible team inbox for review. Because this vulnerability is straightforwardly exploitable from any network client with no authentication barrier, prioritizing the rebuild and reviewing any upstream trust configuration for X-Forwarded-For and Forwarded headers is advised in the interim.

See how HarborGuard automates this

Fix available

3.1.134.1.134.2.94.3.55.0.2
Affected packages
  • Spring / Spring Cloud Gateway
    < 3.1.13 (from 3.1.0) · < 4.1.13 (from 4.1.0) · < 4.2.9 (from 4.2.0) · < 4.3.5 (from 4.3.0) · < 5.0.2 (from 5.0.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
References