CVE-2026-50200
Received Received - Intake
Information Disclosure in Steeltoe Management Endpoint

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the `Sanitizer` component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (`password`, `secret`, `key`, `token`, `.*credentials.*`, `vcap_services`) does not cover the standard .NET pattern `ConnectionStrings:<name>` or Steeltoe Connectors' `Steeltoe:Client:<type>:Default:ConnectionString`. There is no value-based scrubbing, so full connection string values including embedded `Password=` and `user:pass@host` segments are returned verbatim in `/actuator/env` responses. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible: On the standard path, remove `env` from the actuator exposure list; add `.*connectionstring.*` to `KeysToSanitize` as a defense-in-depth measure for both paths; and/or require authorization on actuator endpoints.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-50200
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
steeltoe management to 4.2.0 (exc)
steeltoe management to 3.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Steeltoe.Management.Endpoint versions prior to 4.2.0 and Steeltoe.Management.EndpointCore versions prior to 3.4.0. The issue is with the Sanitizer component in the Environment actuator, which is responsible for redacting sensitive configuration values. It only redacts values by matching configuration key names against a predefined suffix list. However, this list does not cover certain common patterns for connection strings, such as the standard .NET pattern 'ConnectionStrings:<name>' or Steeltoe Connectors' 'Steeltoe:Client:<type>:Default:ConnectionString'. Because there is no value-based scrubbing, full connection string valuesβ€”including embedded passwords and user credentialsβ€”are exposed in the '/actuator/env' responses.

The vulnerability is patched in Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0. Until an upgrade is possible, mitigations include removing 'env' from the actuator exposure list, adding '.*connectionstring.*' to the KeysToSanitize list, and requiring authorization on actuator endpoints.

Impact Analysis

This vulnerability can lead to the exposure of sensitive information such as full connection strings, including embedded passwords and user credentials, through the '/actuator/env' endpoint. An attacker with network access to this endpoint could retrieve these secrets, potentially allowing unauthorized access to databases or other connected services.

Because the vulnerability allows disclosure of confidential credentials without requiring authentication, it poses a high confidentiality risk, which could lead to data breaches or unauthorized system access.

Detection Guidance

This vulnerability can be detected by checking if the Steeltoe Management Endpoint's environment actuator (/actuator/env) is exposing full connection string values including sensitive information such as passwords in its responses.

You can verify this by querying the /actuator/env endpoint and inspecting the output for unredacted connection strings.

For example, you can use the following command to check the endpoint response:

  • curl -s http://<your-server>:<port>/actuator/env | grep -i 'connectionstring'

If the response contains connection strings with embedded passwords or user credentials in clear text, the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade Steeltoe.Management.Endpoint to version 4.2.0 or later, or Steeltoe.Management.EndpointCore to version 3.4.0 or later, where the issue is patched.
  • If upgrading is not immediately possible, remove 'env' from the actuator exposure list to prevent the environment actuator from being accessible.
  • Add '.*connectionstring.*' to the KeysToSanitize configuration to extend the sanitization to connection string keys.
  • Require authorization on actuator endpoints to restrict access.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50200. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart