Skip to main content

Steeltoe Management Endpoint CVE-2026-50201

| EUVDEUVD-2026-37813 MEDIUM
Improper Privilege Management (CWE-269)
2026-06-17 GitHub_M GHSA-227r-jm2g-7cp4
6.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable CF actuator endpoints require only low-privilege CF credentials (PR:L); impact is purely confidentiality (environment/heap data exposure) with no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jul 02, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 17, 2026 - 23:01 vuln.today
Analysis Generated
Jun 17, 2026 - 23:01 vuln.today

DescriptionCVE.org

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, all Steeltoe actuator endpoints default to EndpointPermissions.Restricted, which is mappeds to Cloud Foundry's read_basic_data permission (granted to Space Auditors and similar low-trust roles). Sensitive actuators including heap dump, environment, and thread dump do not raise this to EndpointPermissions.Full, so CF's read_sensitive_data permission flag is not enforced for those endpoints. Spring Boot's equivalent Cloud Foundry integration gates these endpoints with read_sensitive_data by default. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible, explicitly set RequiredPermissions = EndpointPermissions.Full in the options for HeapDumpEndpointOptions, EnvironmentEndpointOptions, and ThreadDumpEndpointOptions; and/or if heap dump, thread dump, or environment are not needed in production, register only the required actuators individually instead of using AddAllActuators().

AnalysisAI

Sensitive actuator endpoints in Steeltoe.Management.Endpoint and Steeltoe.Management.EndpointCore expose heap dumps, environment variables, and thread dumps to low-trust Cloud Foundry roles (Space Auditors) due to incorrect default permission levels. Affected versions inherit the base class default of EndpointPermissions.Restricted - which maps to CF's read_basic_data scope - rather than overriding to EndpointPermissions.Full (read_sensitive_data), the permission level Spring Boot's equivalent integration correctly enforces. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain CF Space Auditor credentials
Delivery
Authenticate to Cloud Foundry API
Exploit
Identify target app with Steeltoe actuators enabled
Execution
Send HTTP GET to /actuator/env or /actuator/heapdump
Persist
Receive sensitive environment variables or heap dump
Impact
Extract secrets and credentials from response

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) the target application must be deployed on Cloud Foundry - non-CF deployments do not use the EndpointPermissions/CF scope mechanism and are unaffected; (2) the application must run Steeltoe.Management.Endpoint prior to 4.2.0 or EndpointCore prior to 3.4.0; (3) the sensitive actuators (heap dump, environment, or thread dump) must be registered - this occurs automatically if AddAllActuators() is used, which is the common quick-start pattern; (4) the attacker must hold valid CF credentials with at least the Space Auditor role or any other role granted read_basic_data scope in the target CF organization and space. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 6.5 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately reflects the risk profile: network-reachable, low complexity, requiring only low-privilege CF credentials, with high confidentiality impact and no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A Cloud Foundry user with a Space Auditor role - a common low-trust role granted for read-only visibility into a CF space - authenticates to the CF API, then sends a standard HTTP GET request to the /actuator/env, /actuator/heapdump, or /actuator/threaddump endpoint of a vulnerable Steeltoe application. The application responds with full environment variable listings (potentially including database passwords, OAuth client secrets, and cloud service keys) or a heap dump file that can be analyzed offline to extract in-memory credentials. …
Remediation Vendor-released patches are Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0; upgrade to these versions or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-50201 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy