Sensitive Data Exposure in Steeltoe by SteeltoeOSS
CVE-2026-50267

4.7MEDIUM

Key Information:

Vendor: Steeltoeoss
Status: Steeltoe.configuration.abstractions
Vendor: CVE Published:; 17 June 2026

🔔 Create Steeltoeoss Vulnerability Alert

What is CVE-2026-50267?

Steeltoe.Configuration.Abstractions versions 4.0.0 through 4.1.0 contain a vulnerability that results in TLS client credentials being unintentionally written to world-readable temporary files on Linux systems. This occurs when service bindings for MySQL or PostgreSQL contain TLS client credentials from VCAP_SERVICES. The credentials are stored in files created with File.CreateText at Path.GetTempPath(), which under a common process umask allows other users on the same container to read sensitive information. The credentials are also more securely stored in /proc/<pid>/environ with restricted permissions. Users are advised to upgrade to Steeltoe.Configuration.Abstractions version 4.2.0 or implement measures to restrict access to /tmp in containerized environments to mitigate this risk.

Affected Version(s)

Steeltoe.Configuration.Abstractions >= 4.0.0, < 4.2.0

References

https://github.com/SteeltoeOSS/security-advisories/securi...

x_refsource_CONFIRM

https://github.com/SteeltoeOSS/Steeltoe/commit/8dd97cc6c4...

x_refsource_MISC

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 17, 2026
Vulnerability Reserved
Jun 4, 2026

CVE-2026-50267 Data

JSON