Spring Cloud Gateway Server Webflux - Broken Access Control

Spring Cloud Gateway Server Webflux contains a vulnerability caused by unsecured and exposed actuator endpoints allowing modification of Spring Environment properties, letting attackers modify configuration, exploit requires unsecured actuator endpoints exposure. id: CVE-2025-41243 info: name:...

EUVD-2026-13349

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from...

CVE-2026-22733

Spring Boot applications with Actuator can be vulnerable to an "Authentication Bypass" vulnerability when an application endpoint that requires authentication is declared under the path used by the CloudFoundry Actuator endpoints. This issue affects Spring Security: from 4.0.0 through 4.0.3, from...

CVE-2025-41253

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server...

EUVD-2025-34761

Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection...

Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server...

GHSA-FWXX-WV44-7QFG Spring Cloud Gateway Server Webflux is vulnerable to Expression Language Injection

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server...

CVE-2025-41253

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server...

CVE-2025-41253 Spring Cloud Gateway Webflux SpEL Injection Vulnerability Allowing Exposure of Environment Variables

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server...

CVE-2025-41253 Spring Cloud Gateway Webflux SpEL Injection Vulnerability Allowing Exposure of Environment Variables

The following versions of Spring Cloud Gateway Server Webflux may be vulnerable to the ability to expose environment variables and system properties to attackers. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server...

Remote Code Execution

org.springframework.cloud, spring-cloud-gateway-server is vulnerable to Remote Code Execution. The vulnerability is due to exposed actuator endpoints evaluating user-controlled input via the GatewayEvaluationContext, allowing attackers to modify Spring Environment properties when the actuator...

CVE-2025-41243 Spring Expression Language property modification using Spring Cloud Gateway Server WebFlux

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server Webflux Spring Cloud Gateway Server WebMVC is not vulnerable...

CVE-2025-41243 Spring Expression Language property modification using Spring Cloud Gateway Server WebFlux

Spring Cloud Gateway Server Webflux may be vulnerable to Spring Environment property modification. An application should be considered vulnerable when all the following are true: The application is using Spring Cloud Gateway Server Webflux Spring Cloud Gateway Server WebMVC is not vulnerable...

Exploit for Code Injection in Vmware Spring_Cloud_Gateway

CVE-2022-22947 Spring Cloud Gateway Vulnerability Demonstratio...

Missing Authorization

org.springframework.boot is vulnerable to Missing Authorization. The vulnerability is due to incorrect request matching caused by EndpointRequest.to creating a matcher for null/ when the targeted actuator endpoint is disabled or not exposed, which allows unprotected access to the /null path...

CVE-2022-23726

PingCentral versions prior to listed versions expose Spring Boot actuator endpoints that with administrative authentication return large amounts of sensitive environmental and application information...

CVE-2022-23726

PingCentral versions prior to listed versions expose Spring Boot actuator endpoints that with administrative authentication return large amounts of sensitive environmental and application information...

PT-2022-16230 · Unknown · Spring Boot +1

Name of the Vulnerable Software and Affected Versions: PingCentral versions prior to listed versions Description: The issue exposes Spring Boot actuator endpoints, which can return large amounts of sensitive environmental and application information when accessed with administrative authenticatio...

Semrush: Critically Sensitive Spring Boot Endpoints Exposed

Spring Boot includes a number of additional features to help you monitor and manage your application when you push it to production. Hacker found that actuator endpoints containing potentially sensitive data such as internal tokens and service data were left public. Semrush has a microservices...