WebSocket Control Bypass in Ocelot by ThreeMammals
CVE-2026-58172

9.3CRITICAL

Key Information:

Vendor

Threemammals

Status
Ocelot
Vendor
CVE Published:
30 June 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-58172?

Ocelot, a popular API Gateway developed by ThreeMammals, is vulnerable to a security control bypass that impacts versions up to 24.1.0. This vulnerability arises from the WebSocket upgrade requests that can bypass IP-based access restrictions due to faulty configuration in the OcelotPipelineExtensions.cs file. Specifically, the pipeline omits the crucial SecurityMiddleware layer for these requests, which allows clients from blocked IP addresses to access downstream services without adhering to the pre-configured allow/block list.

Affected Version(s)

Ocelot 0 <= 24.1.0

Ocelot f156fd4017ca25025fffdad8ec56c1d657dfb402

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-58172 - Proof of Concept

References

https://github.com/ThreeMammals/Ocelot/issues/2403
technical-descriptionexploit
https://github.com/ThreeMammals/Ocelot/pull/2406
issue-tracking
https://github.com/ThreeMammals/Ocelot/commit/f156fd4017c...
patch

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.