CVE-2026-50194
Deferred Deferred - Pending Action

Security Misconfiguration in Steeltoe Management Endpoints

Vulnerability report for CVE-2026-50194, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-17

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. When Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 are configured to listen on an alternate port (`Management:Endpoints:Port` is configured), the middleware responsible for restricting access to the endpoints uses the `Host` HTTP header rather than the actual network socket port. Versions 3.4.0 and 4.2.0 patch the issue. If an immediate upgrade to a patched version is not possible, add explicit ASP.NET Core authorization (`RequireAuthorization`) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation and/or configure the reverse proxy or load balancer to enforce the `Host` header value and prevent clients from setting an arbitrary port.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-17
Last Modified
2026-06-22
Generated
2026-07-08
AI Q&A
2026-06-18
EPSS Evaluated
2026-07-06
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
steeltoe management_endpoints From 3.2.2 (inc) to 3.3.0 (inc)
steeltoe management_endpoints 4.1.0
steeltoe management_endpoints 3.4.0
steeltoe management_endpoints 4.2.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthorized access to Steeltoe management endpoints when configured to listen on an alternate port, due to improper validation of the Host HTTP header. Such unauthorized access could lead to exposure of sensitive application management data.

Exposure of sensitive data or unauthorized access to management endpoints may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive information and secure access controls.

Mitigations include upgrading to patched versions or adding explicit authorization controls, which help maintain compliance by preventing unauthorized access.

Executive Summary

This vulnerability affects Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 when they are configured to listen on an alternate port. The middleware that is supposed to restrict access to these endpoints incorrectly uses the HTTP Host header to determine access instead of the actual network socket port. This allows an attacker to potentially bypass port-based access restrictions by manipulating the Host header.

Versions 3.4.0 and 4.2.0 have patched this issue. If upgrading immediately is not possible, it is recommended to add explicit ASP.NET Core authorization to all sensitive actuator endpoints or configure the reverse proxy/load balancer to enforce the Host header value and prevent clients from setting arbitrary ports.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive management endpoints of Steeltoe applications. Because the middleware relies on the Host header rather than the actual port, an attacker can bypass port-based access controls and potentially gain access to sensitive information or functionality exposed by these endpoints.

The CVSS score of 8.2 indicates a high severity, meaning the impact on confidentiality is high, integrity is low, and availability is not affected. This could result in exposure of sensitive data or partial compromise of the application.

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Steeltoe management endpoints to versions 3.4.0 or 4.2.0 where the issue is patched.

If an immediate upgrade is not possible, apply explicit ASP.NET Core authorization (RequireAuthorization) to all sensitive actuator endpoints to add a defense-in-depth layer independent of port isolation.

Additionally, configure your reverse proxy or load balancer to enforce the Host header value and prevent clients from setting an arbitrary port.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50194. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart