CVE-2026-50201
Received Received - Intake
Information Disclosure in Steeltoe Management Endpoint

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, all Steeltoe actuator endpoints default to `EndpointPermissions.Restricted`, which is mappeds to Cloud Foundry's `read_basic_data` permission (granted to Space Auditors and similar low-trust roles). Sensitive actuators including heap dump, environment, and thread dump do not raise this to `EndpointPermissions.Full`, so CF's `read_sensitive_data` permission flag is not enforced for those endpoints. Spring Boot's equivalent Cloud Foundry integration gates these endpoints with `read_sensitive_data` by default. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible, explicitly set `RequiredPermissions = EndpointPermissions.Full` in the options for `HeapDumpEndpointOptions`, `EnvironmentEndpointOptions`, and `ThreadDumpEndpointOptions`; and/or if heap dump, thread dump, or environment are not needed in production, register only the required actuators individually instead of using `AddAllActuators()`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-50201
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
steeltoe management to 4.2.0 (exc)
steeltoe management to 3.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Steeltoe.Management.Endpoint versions prior to 4.2.0 and Steeltoe.Management.EndpointCore versions prior to 3.4.0. In these versions, all Steeltoe actuator endpoints default to a restricted permission level mapped to Cloud Foundry's 'read_basic_data' permission, which is granted to low-trust roles like Space Auditors.

However, sensitive actuator endpoints such as heap dump, environment, and thread dump do not require the higher 'read_sensitive_data' permission, meaning that sensitive data can be accessed by users with only basic read permissions. This contrasts with Spring Boot's Cloud Foundry integration, which correctly restricts these endpoints with the 'read_sensitive_data' permission by default.

The issue is fixed in Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0. Until an upgrade is possible, users can mitigate the issue by explicitly setting the required permissions to full for sensitive endpoints or by limiting which actuators are registered.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive application data through actuator endpoints such as heap dump, environment, and thread dump. Users with low-trust roles that normally have limited permissions could access sensitive information that should be protected.

Such exposure of sensitive data could lead to information disclosure risks, potentially aiding attackers in understanding the internal state of the application, which might facilitate further attacks or data breaches.

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade Steeltoe.Management.Endpoint to version 4.2.0 or later and Steeltoe.Management.EndpointCore to version 3.4.0 or later.

If an immediate upgrade is not possible, explicitly set RequiredPermissions = EndpointPermissions.Full in the options for HeapDumpEndpointOptions, EnvironmentEndpointOptions, and ThreadDumpEndpointOptions.

Alternatively, if heap dump, thread dump, or environment actuators are not needed in production, register only the required actuators individually instead of using AddAllActuators().

Compliance Impact

This vulnerability allows sensitive actuator endpoints such as heap dump, environment, and thread dump to be accessed without enforcing the higher Cloud Foundry 'read_sensitive_data' permission. As a result, sensitive data could be exposed to users with lower-trust roles, potentially leading to unauthorized access to sensitive information.

Exposure of sensitive data in this manner could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive personal and health information.

Upgrading to Steeltoe.Management.Endpoint 4.2.0 or Steeltoe.Management.EndpointCore 3.4.0 or explicitly setting the required permissions to 'Full' for sensitive endpoints mitigates this risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50201. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart