A vulnerability in APIML Spring Cloud Gateway which leverages user privileges by unexpected signing proxied request by Zowe's client certificate. This allows access to a user to the endpoints requiring an internal client certificate without any credentials. It could lead to managing components in there and allow an attacker to handle the whole communication including user credentials.
Conclusion & alert: CVE-2024-6834 is rated Moderate Risk (42/100): CVSS Critical severity, with low exploitation likelihood (EPSS 0.26%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.36% | 0.26% | -0.09% |
| 2 | 2026-03-16 | 0.46% | 0.36% | -0.11% |
| 3 | 2025-12-06 | — | 0.46% | — |
Full EPSS history (11 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.0 | 3.1 | CRITICAL |
|
2.2 | 6.0 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||
| URL | Tags |
|---|---|
| https://github.com/zowe/api-layer |