Primary

Context

Spring Cloud Gateway HTTP2 Insecure TrustManager Vulnerability

Vulnerability

Patched

A vulnerability exists in Spring Cloud Gateway versions prior to 3.1.1+ that allows applications enabled for HTTP2, without a key store or trusted certificates, to use an insecure TrustManager. This misconfiguration enables the gateway to connect to remote services using invalid or custom certificates.

Impact

Exploitation of this vulnerability allows for connections to remote services with invalid or custom certificates, potentially leading to man-in-the-middle attacks or other security risks associated with untrusted certificates.

Remediation

Users of Spring Cloud Gateway 3.1.0 should upgrade to version 3.1.1 or later. No additional steps are necessary.

Added: Apr 7, 2026, 11:25 AM

Updated: Apr 7, 2026, 11:25 AM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

1.3

exploitability

7.0

remediation

7.9

relevance

0.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

1.3

exploitability

7.0

remediation

7.9

relevance

0.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Cloud Gateway HTTP2 Insecure TrustManager Vulnerability

Vulnerability

Impact

Remediation

Affected Products

VMware Spring Cloud Gateway

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating