CVE-2026-50194
Received Received - Intake
Security Misconfiguration in Steeltoe Management Endpoints

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. When Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 are configured to listen on an alternate port (`Management:Endpoints:Port` is configured), the middleware responsible for restricting access to the endpoints uses the `Host` HTTP header rather than the actual network socket port. Versions 3.4.0 and 4.2.0 patch the issue. If an immediate upgrade to a patched version is not possible, add explicit ASP.NET Core authorization (`RequireAuthorization`) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation and/or configure the reverse proxy or load balancer to enforce the `Host` header value and prevent clients from setting an arbitrary port.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-50194
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
steeltoe management_endpoints From 3.2.2 (inc) to 3.3.0 (inc)
steeltoe management_endpoints 4.1.0
steeltoe management_endpoints 3.4.0
steeltoe management_endpoints 4.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 when they are configured to listen on an alternate port. The middleware that is supposed to restrict access to these endpoints incorrectly uses the HTTP Host header to determine access instead of the actual network socket port. This allows an attacker to potentially bypass port-based access restrictions by manipulating the Host header.

Versions 3.4.0 and 4.2.0 have patched this issue. If upgrading immediately is not possible, it is recommended to add explicit ASP.NET Core authorization to all sensitive actuator endpoints or configure the reverse proxy/load balancer to enforce the Host header value and prevent clients from setting arbitrary ports.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive management endpoints of Steeltoe applications. Because the middleware relies on the Host header rather than the actual port, an attacker can bypass port-based access controls and potentially gain access to sensitive information or functionality exposed by these endpoints.

The CVSS score of 8.2 indicates a high severity, meaning the impact on confidentiality is high, integrity is low, and availability is not affected. This could result in exposure of sensitive data or partial compromise of the application.

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Steeltoe management endpoints to versions 3.4.0 or 4.2.0 where the issue is patched.

If an immediate upgrade is not possible, apply explicit ASP.NET Core authorization (RequireAuthorization) to all sensitive actuator endpoints to add a defense-in-depth layer independent of port isolation.

Additionally, configure your reverse proxy or load balancer to enforce the Host header value and prevent clients from setting an arbitrary port.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50194. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart