GHSA-58F6-6RJ2-3V8R
Vulnerability from github – Published: 2026-07-02 20:29 – Updated: 2026-07-02 20:29
VLAI
Summary
Steeltoe vulnerable to management-port isolation bypass via spoofed Host header
Details
Summary
When Steeltoe management endpoints are configured to listen on an alternate port (Management:Endpoints:Port is configured), the middleware responsible for restricting access to the endpoints uses the Host HTTP header rather than the actual network socket port.
Impact
An unauthenticated remote attacker can reach every actuator endpoint using a specially crafted HTTP request.
Affected configuration
- The application's public port is accessible over from the network.
Management:Endpoints:Portis configured to a value different from the application's main listener port.- The request scheme matches
Management:Endpoints:SslEnabled. For example,httpwhenSslEnabledisfalse(the default), orhttpswhenSslEnabledistrue.
Mitigations
If an immediate upgrade to a patched version is not possible:
- Add explicit ASP.NET Core authorization (
RequireAuthorization) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation. - Configure the reverse proxy or load balancer to enforce the
Hostheader value and prevent clients from setting an arbitrary port.
Severity
8.2 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.1.0"
},
"package": {
"ecosystem": "NuGet",
"name": "Steeltoe.Management.Endpoint"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.3.0"
},
"package": {
"ecosystem": "NuGet",
"name": "Steeltoe.Management.EndpointCore"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.2"
},
{
"fixed": "3.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50194"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T20:29:13Z",
"nvd_published_at": "2026-06-17T22:16:23Z",
"severity": "HIGH"
},
"details": "### Summary\n\nWhen Steeltoe management endpoints are configured to listen on an alternate port (`Management:Endpoints:Port` is configured), the middleware responsible for restricting access to the endpoints uses the `Host` HTTP header rather than the actual network socket port. \n\n### Impact\n\nAn unauthenticated remote attacker can reach every actuator endpoint using a specially crafted HTTP request.\n\n### Affected configuration\n\n- The application\u0027s public port is accessible over from the network.\n- `Management:Endpoints:Port` is configured to a value different from the application\u0027s main listener port.\n- The request scheme matches `Management:Endpoints:SslEnabled`. For example, `http` when `SslEnabled` is `false` (the default), or `https` when `SslEnabled` is `true`.\n\n### Mitigations\n\nIf an immediate upgrade to a patched version is not possible:\n\n- Add explicit ASP.NET Core authorization (`RequireAuthorization`) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation.\n- Configure the reverse proxy or load balancer to enforce the `Host` header value and prevent clients from setting an arbitrary port.",
"id": "GHSA-58f6-6rj2-3v8r",
"modified": "2026-07-02T20:29:13Z",
"published": "2026-07-02T20:29:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-58f6-6rj2-3v8r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50194"
},
{
"type": "WEB",
"url": "https://github.com/SteeltoeOSS/Steeltoe/commit/4cbc352fe89ac2e6c609554e435ab28996fec5e9"
},
{
"type": "WEB",
"url": "https://github.com/SteeltoeOSS/Steeltoe/commit/b7ca93c510aaa08d7e4ebec40ce20c5811c2c4b6"
},
{
"type": "PACKAGE",
"url": "https://github.com/SteeltoeOSS/steeltoe"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Steeltoe vulnerable to management-port isolation bypass via spoofed Host header"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…