Skip to main content

Steeltoe Management EUVDEUVD-2026-37801

| CVE-2026-50194 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-17 GitHub_M GHSA-58f6-6rj2-3v8r
8.2
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
8.2 HIGH

Remote single-request Host-header spoof with no auth or UI; high confidentiality from actuator data exposure, low integrity from writable actuators, no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jul 02, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 17, 2026 - 22:15 vuln.today
Analysis Generated
Jun 17, 2026 - 22:15 vuln.today

DescriptionCVE.org

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. When Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 are configured to listen on an alternate port (Management:Endpoints:Port is configured), the middleware responsible for restricting access to the endpoints uses the Host HTTP header rather than the actual network socket port. Versions 3.4.0 and 4.2.0 patch the issue. If an immediate upgrade to a patched version is not possible, add explicit ASP.NET Core authorization (RequireAuthorization) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation and/or configure the reverse proxy or load balancer to enforce the Host header value and prevent clients from setting an arbitrary port.

AnalysisAI

Improper authentication in Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 allows remote unauthenticated attackers to reach actuator endpoints intended to be isolated on a separate management port by spoofing the HTTP Host header. The middleware trusted the client-supplied Host header port instead of the actual TCP socket port, defeating port-based access restrictions and enabling information disclosure from sensitive actuator endpoints. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Steeltoe app with isolated mgmt port
Delivery
Send HTTP request to public port
Exploit
Set Host header to host:management-port
Execution
Middleware trusts spoofed Host port
Persist
Actuator endpoint returns sensitive data
Impact
Exfiltrate env/config/secrets

Vulnerability AssessmentAI

Exploitation The target application must be running Steeltoe Management 3.2.2-3.3.0 or 4.1.0 with the Management:Endpoints:Port configuration key set to a value different from the main application port (i.e., the alternate-management-port deployment pattern). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N (8.2 High) accurately reflects a network-reachable, unauthenticated, single-request bypass with high confidentiality impact (actuators frequently expose environment variables, configuration, heap dumps, and trace data) and limited integrity impact (some actuators allow state changes such as log-level adjustments). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the application's public HTTP port sends a normal GET to /actuator/env (or any other sensitive actuator path) while setting the Host header to host:9090, where 9090 is the configured management port. The middleware parses the spoofed port from the Host header, concludes the request arrived on the management port, and serves the actuator response over the public socket - leaking environment variables, configuration, and other sensitive runtime data. …
Remediation Vendor-released patch: upgrade Steeltoe Management to 3.4.0 (3.x line) or 4.2.0 (4.x line), which replace the Host-header-port check with context.Connection.LocalPort per commits https://github.com/SteeltoeOSS/Steeltoe/commit/4cbc352fe89ac2e6c609554e435ab28996fec5e9 and https://github.com/SteeltoeOSS/Steeltoe/commit/b7ca93c510aaa08d7e4ebec40ce20c5811c2c4b6. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Steeltoe versions 3.2.2-3.3.0 or 4.1.0 via configuration management and asset inventory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37801 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy