Access Control Vulnerability in Steeltoe Management Endpoints
CVE-2026-50194

8.2HIGH

Key Information:

Vendor

Steeltoeoss

Status
Steeltoe.management.endpoint
Steeltoe.management.endpointcore
Vendor
CVE Published:
17 June 2026

What is CVE-2026-50194?

The Steeltoe project, which provides libraries for building cloud-native applications, has a vulnerability in its management endpoints. Specifically, if versions 3.2.2 through 3.3.0 and 4.1.0 are configured to listen on alternate ports, the access control middleware incorrectly utilizes the Host HTTP header instead of the actual network socket port. This flaw allows potential unauthorized access to sensitive actuator endpoints. Users are advised to upgrade to versions 3.4.0 or 4.2.0, which address this issue. As an additional security measure, implement explicit ASP.NET Core authorization for all sensitive endpoints and consider configuring a reverse proxy to enforce Host header validation to mitigate risks.

Affected Version(s)

Steeltoe.Management.Endpoint < 4.2.0

Steeltoe.Management.EndpointCore >= 3.2.2, < 3.4.0

References

https://github.com/SteeltoeOSS/security-advisories/securi...
x_refsource_CONFIRM
https://github.com/SteeltoeOSS/Steeltoe/commit/4cbc352fe8...
x_refsource_MISC
https://github.com/SteeltoeOSS/Steeltoe/commit/b7ca93c510...
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.