diff --git a/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java b/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
index ba23f7859aed..680d4afa44a7 100644
--- a/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
+++ b/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
@@ -282,7 +282,7 @@ private static void parseCommaDelimitedOrigin(String rawValue, Consumer<String>
 			}
 		}
 		if (start < rawValue.length()) {
-			valueConsumer.accept(rawValue.substring(start));
+			valueConsumer.accept(rawValue.substring(start).trim());
 		}
 	}
 
diff --git a/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java b/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java
index 0dfdee1ba0b2..092781475f94 100644
--- a/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java
+++ b/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java
@@ -305,6 +305,11 @@ void checkOriginAllowed() {
 		assertThat(config.checkOrigin("https://a1.com")).isEqualTo("https://a1.com");
 		assertThat(config.checkOrigin("https://a2.com/")).isEqualTo("https://a2.com/");
 
+		// comma-delimited origins list with space
+		config.setAllowedOrigins(Collections.singletonList("https://a1.com, https://a2.com"));
+		assertThat(config.checkOrigin("https://a1.com")).isEqualTo("https://a1.com");
+		assertThat(config.checkOrigin("https://a2.com/")).isEqualTo("https://a2.com/");
+
 		// specific origin matches Origin header with or without trailing "/"
 		config.setAllowedOrigins(Collections.singletonList("https://domain.com"));
 		assertThat(config.checkOrigin("https://domain.com")).isEqualTo("https://domain.com");