ArgumentException in Steeltoe Discovery Eureka Leaves Local Service Registry Vulnerable
CVE-2026-50196

7.5HIGH

Key Information:

Vendor

Steeltoeoss

Status
Steeltoe.discovery.eureka
Vendor
CVE Published:
17 June 2026

What is CVE-2026-50196?

In Steeltoe.Discovery.Eureka versions before 4.2.0 and 3.4.0, an ArgumentException is thrown if the DataCenterInfo.FromJson method encounters a name value other than 'MyOwn' or 'Amazon'. This is in contrast to the Java Eureka specification, which includes 'Netflix' as a valid alternative. The resulting exception prevents proper propagation through the registry deserialization process, potentially leaving the local service registry either empty or stale, which can adversely affect cloud-native applications relying on accurate service discovery. Users are advised to upgrade to patched versions or to manually remove unsupported DataCenterInfo.name registrations in mixed environments.

Affected Version(s)

Steeltoe.Discovery.Eureka >= 4.0.0, < 4.2.0 < 4.0.0, 4.2.0

Steeltoe.Discovery.Eureka < 3.4.0 < 3.4.0

References

https://github.com/SteeltoeOSS/security-advisories/securi...
x_refsource_CONFIRM
https://github.com/SteeltoeOSS/Steeltoe/commit/b8ed8557bb...
x_refsource_MISC
https://github.com/SteeltoeOSS/Steeltoe/commit/c34a7399e8...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.