What is the CVSS score of CVE-2026-50196?

CVE-2026-50196 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Which versions of Steeltoe Discovery Eureka are affected by CVE-2026-50196?

Steeltoe.Discovery.Eureka client versions before 4.2.0 and 3.4.0 suffer from a denial-of-service vulnerability that permanently disables service discovery, preventing .NET microservices from locating…

How to fix or mitigate CVE-2026-50196?

Within 24 hours: Identify all systems running Steeltoe.Discovery.Eureka prior to 4.2.0 (for 4.x) or 3.4.0 (for 3.x) and categorize by production criticality. Within 7 days: Deploy patches to non-critical systems and begin pilot testing on critical infrastructure. Within 30 days: Complete migration to patched versions (4.2.0 or 3.4.0) across all production systems.

Steeltoe Discovery Eureka CVE-2026-50196

HIGH

Improper Input Validation (CWE-20)

2026-06-17 GitHub_M

Deserialization Java Steeltoe Discovery Eureka

7.5

CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

vuln.today AI

6.5 MEDIUM

Trigger arrives over the network via Eureka registration (AV:N, AC:L) but requires the ability to register a service with the shared registry, so PR:L; impact is loss of discovery availability only (A:H, C/I:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

Jun 17, 2026 - 22:16 vuln.today

Analysis Generated

Jun 17, 2026 - 22:16 vuln.today

DescriptionCVE.org

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0, DataCenterInfo.FromJson throws ArgumentException for any name value other than "MyOwn" or "Amazon", despite the Java Eureka specification defining a third valid value: "Netflix". The exception propagates through the entire registry deserialization chain and is swallowed by the periodic cache refresh task, leaving the local service registry permanently empty or stale. Versions 4.2.0 and 3.4.0 patch the issue. If an immediate upgrade is not possible, remove any registrations using unsupported DataCenterInfo.name values from the registry. In mixed Java/Spring and Steeltoe environments, audit for the Netflix data center type before deploying Steeltoe Eureka clients.

Articles & Coverage 1

News 5 New Java Vulnerabilities - 2 Critical, 3 High Severity Jun 18, 2026

AnalysisAI

Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka registry containing service registrations with DataCenterInfo.name="Netflix" to permanently break the local service discovery cache. The client's DataCenterInfo.FromJson rejects any value other than "MyOwn" or "Amazon" with an ArgumentException that is silently swallowed by the periodic cache refresh task, leaving downstream .NET services unable to discover peers. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify shared Eureka registry

Delivery

Exploit

Steeltoe client polls registry refresh

Install

FromJson throws ArgumentException

Periodic refresh task swallows exception

Execute

Local registry left empty/stale

Impact

Dependent .NET services fail discovery

Recon

Identify shared Eureka registry

Delivery

Exploit

Steeltoe client polls registry refresh

Install

FromJson throws ArgumentException

Periodic refresh task swallows exception

Execute

Local registry left empty/stale

Impact

Dependent .NET services fail discovery

Vulnerability AssessmentAI

Exploitation	Requires (1) a Steeltoe.Discovery.Eureka client at version < 3.4.0 or < 4.2.0 acting as a Eureka consumer, and (2) at least one service instance present in the shared Eureka registry whose DataCenterInfo.name field equals the spec-valid string "Netflix" (or any value other than "MyOwn"/"Amazon"). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 3.1 7.5 (AV:N/AC:L/PR:N/UI:N/C:N/I:N/A:H) accurately reflects a pure availability impact reachable over the network from the upstream Eureka registry - no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	In a mixed Spring-Cloud/Steeltoe microservice mesh, a single Java service registers with Eureka declaring DataCenterInfo.name="Netflix" (the spec-valid third option). On the next 30-second refresh, every Steeltoe .NET consumer aborts deserialization, its in-memory registry becomes empty or frozen, and outbound service-to-service calls fail to resolve peers, producing a mesh-wide outage until either the offending registration is removed or the clients are patched. …
Remediation	Vendor-released patch: upgrade Steeltoe.Discovery.Eureka to 4.2.0 (4.x line) or 3.4.0 (3.x line), per advisory GHSA-j8ph-6fxj-g533 (https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-j8ph-6fxj-g533) and fix commits b8ed8557bb595863e4f340051d16b26ba40a75f4 and c34a7399e808d0d11dd977460e81df1f2722df28. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Steeltoe.Discovery.Eureka prior to 4.2.0 (for 4.x) or 3.4.0 (for 3.x) and categorize by production criticality. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL Act Now

10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran

CVE-2026-47835 HIGH This Week

8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t

CVE-2026-47825 HIGH This Week

8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-41708 HIGH This Week

7.5 Jun 15

Denial-of-service in Spring Cloud Sleuth 3.1.0 through 3.1.13 allows remote unauthenticated attackers to exhaust applica

CVE-2026-55470 HIGH This Week

7.5 Jun 17

Regular expression denial of service in HAPI FHIR's DSTU2 FHIRPathEngine allows unauthenticated remote attackers to exha

CVE-2026-50196 vulnerability details – vuln.today

Back

Steeltoe Discovery Eureka CVE-2026-50196

Severity by source

CVSS VectorVendor: GitHub_M

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 1

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code