GHSA-227R-JM2G-7CP4
Vulnerability from github – Published: 2026-07-02 20:31 – Updated: 2026-07-02 20:31Summary
All Steeltoe actuator endpoints default to EndpointPermissions.Restricted, which is mapped to Cloud Foundry's read_basic_data permission (granted to Space Auditors and similar low-trust roles). Sensitive actuators including heap dump, environment, and thread dump do not raise this to EndpointPermissions.Full, so CF's read_sensitive_data permission flag is not enforced for those endpoints. Spring Boot's equivalent Cloud Foundry integration gates these endpoints with read_sensitive_data by default.
Impact
Any CF user holding Space Auditor, Space Manager, or Org Auditor role can access the heap dump, environment, and thread dump actuators for any Steeltoe application in their space. A heap dump contains all in-memory data including database passwords, bearer tokens, and VCAP_SERVICES credentials. CF's read_sensitive_data permission, which is specifically designed to gate this access, has no effect.
Affected configuration
- Application is deployed on Cloud Foundry with CF actuator and security middleware active (added automatically by
AddAllActuators()when a CF environment is detected). - The attacker holds a CF role that grants
read_basic_data: Space Auditor, Space Manager, or Org Auditor.
Mitigations
If an immediate upgrade is not possible:
- Explicitly set
RequiredPermissions = EndpointPermissions.Fullin the options forHeapDumpEndpointOptions,EnvironmentEndpointOptions, andThreadDumpEndpointOptions. - If heap dump, thread dump, or environment are not needed in production, register only the required actuators individually instead of using
AddAllActuators().
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.0"
},
"package": {
"ecosystem": "NuGet",
"name": "Steeltoe.Management.Endpoint"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.3.0"
},
"package": {
"ecosystem": "NuGet",
"name": "Steeltoe.Management.EndpointBase"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50201"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T20:31:26Z",
"nvd_published_at": "2026-06-17T23:17:04Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nAll Steeltoe actuator endpoints default to `EndpointPermissions.Restricted`, which is mapped to Cloud Foundry\u0027s `read_basic_data` permission (granted to Space Auditors and similar low-trust roles). Sensitive actuators including heap dump, environment, and thread dump do not raise this to `EndpointPermissions.Full`, so CF\u0027s `read_sensitive_data` permission flag is not enforced for those endpoints. Spring Boot\u0027s equivalent Cloud Foundry integration gates these endpoints with `read_sensitive_data` by default.\n\n### Impact\n\nAny CF user holding Space Auditor, Space Manager, or Org Auditor role can access the heap dump, environment, and thread dump actuators for any Steeltoe application in their space. A heap dump contains all in-memory data including database passwords, bearer tokens, and VCAP_SERVICES credentials. CF\u0027s `read_sensitive_data` permission, which is specifically designed to gate this access, has no effect.\n\n### Affected configuration\n\n- Application is deployed on Cloud Foundry with CF actuator and security middleware active (added automatically by `AddAllActuators()` when a CF environment is detected).\n- The attacker holds a CF role that grants `read_basic_data`: Space Auditor, Space Manager, or Org Auditor.\n\n### Mitigations\n\nIf an immediate upgrade is not possible:\n\n- Explicitly set `RequiredPermissions = EndpointPermissions.Full` in the options for `HeapDumpEndpointOptions`, `EnvironmentEndpointOptions`, and `ThreadDumpEndpointOptions`.\n- If heap dump, thread dump, or environment are not needed in production, register only the required actuators individually instead of using `AddAllActuators()`.",
"id": "GHSA-227r-jm2g-7cp4",
"modified": "2026-07-02T20:31:26Z",
"published": "2026-07-02T20:31:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-227r-jm2g-7cp4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50201"
},
{
"type": "WEB",
"url": "https://github.com/SteeltoeOSS/Steeltoe/commit/b39defa4db5f44f8696c456866b3a5b900d8d96b"
},
{
"type": "WEB",
"url": "https://github.com/SteeltoeOSS/Steeltoe/commit/da6c604decd992f61aeef763f5814102dcb088c7"
},
{
"type": "PACKAGE",
"url": "https://github.com/SteeltoeOSS/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Steeltoe\u0027s sensitive actuators (heapdump/env) only require Restricted permission"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.