CVE-2026-50196
Received Received - Intake
ArgumentException in Steeltoe.Discovery.Eureka from Invalid DataCenterInfo

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0, `DataCenterInfo.FromJson` throws `ArgumentException` for any `name` value other than `"MyOwn"` or `"Amazon"`, despite the Java Eureka specification defining a third valid value: `"Netflix"`. The exception propagates through the entire registry deserialization chain and is swallowed by the periodic cache refresh task, leaving the local service registry permanently empty or stale. Versions 4.2.0 and 3.4.0 patch the issue. If an immediate upgrade is not possible, remove any registrations using unsupported `DataCenterInfo.name` values from the registry. In mixed Java/Spring and Steeltoe environments, audit for the `Netflix` data center type before deploying Steeltoe Eureka clients.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-50196
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
steeltoe discovery to 3.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Steeltoe.Discovery.Eureka versions prior to 4.2.0 and 3.4.0. The method DataCenterInfo.FromJson throws an ArgumentException when it encounters any name value other than "MyOwn" or "Amazon". However, according to the Java Eureka specification, a third valid value "Netflix" should be accepted. Because of this, the exception disrupts the entire registry deserialization process and is swallowed by the periodic cache refresh task, which results in the local service registry becoming permanently empty or stale.

The issue is fixed in versions 4.2.0 and 3.4.0. Until an upgrade is possible, it is recommended to remove any registrations using unsupported DataCenterInfo.name values from the registry and audit for the "Netflix" data center type in mixed Java/Spring and Steeltoe environments before deploying Steeltoe Eureka clients.

Impact Analysis

The vulnerability can cause the local service registry to become permanently empty or stale because the deserialization process fails and the exception is swallowed silently. This means that the application relying on Steeltoe.Discovery.Eureka may not have an accurate or up-to-date view of available services, potentially leading to service discovery failures or degraded application functionality.

According to the CVSS score (7.5, High severity), the impact is on availability (A:H), meaning the vulnerability can cause denial of service or disruption in service availability.

Detection Guidance

This vulnerability can be detected by auditing the service registry for any registrations using unsupported DataCenterInfo.name values, specifically looking for the 'Netflix' data center type in mixed Java/Spring and Steeltoe environments.

Since the issue causes the local service registry to become permanently empty or stale due to swallowed exceptions during cache refresh, monitoring for an empty or stale local service registry may also indicate the presence of this vulnerability.

No specific commands are provided in the available information.

Mitigation Strategies

The immediate mitigation steps include upgrading Steeltoe.Discovery.Eureka to version 4.2.0 or 3.4.0 or later, where the issue is patched.

If an immediate upgrade is not possible, remove any registrations using unsupported DataCenterInfo.name values from the registry.

Additionally, audit for the 'Netflix' data center type before deploying Steeltoe Eureka clients in mixed Java/Spring and Steeltoe environments.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50196. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart