Skip to main content

Steeltoe Management EUVDEUVD-2026-37811

| CVE-2026-50200 HIGH
Information Exposure (CWE-200)
2026-06-17 GitHub_M GHSA-q62h-354g-5r85
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

Network-reachable unauthenticated read of /actuator/env yields high confidentiality loss, but AC:H reflects the required non-default exposure of the env actuator and use of unmatched key names.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch available
Jul 02, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 17, 2026 - 22:18 vuln.today
Analysis Generated
Jun 17, 2026 - 22:18 vuln.today

DescriptionCVE.org

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the Sanitizer component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (password, secret, key, token, .*credentials.*, vcap_services) does not cover the standard .NET pattern ConnectionStrings:<name> or Steeltoe Connectors' Steeltoe:Client:<type>:Default:ConnectionString. There is no value-based scrubbing, so full connection string values including embedded Password= and user:pass@host segments are returned verbatim in /actuator/env responses. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible: On the standard path, remove env from the actuator exposure list; add .*connectionstring.* to KeysToSanitize as a defense-in-depth measure for both paths; and/or require authorization on actuator endpoints.

AnalysisAI

Sensitive credential disclosure in Steeltoe.Management.Endpoint before 4.2.0 and Steeltoe.Management.EndpointCore before 3.4.0 allows remote attackers to retrieve plaintext database connection strings, embedded passwords, and URI userinfo segments via the /actuator/env endpoint. The Sanitizer's default key-suffix list omits the standard .NET ConnectionStrings:<name> pattern and the Steeltoe Connectors' Steeltoe:Client:<type>:Default:ConnectionString pattern, and performs no value-based scrubbing. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed Steeltoe actuator
Delivery
GET /actuator/env unauthenticated
Exploit
Parse ConnectionStrings values from response
Execution
Extract embedded DB/broker credentials
Persist
Authenticate to backend datastore
Impact
Exfiltrate or tamper with data

Vulnerability AssessmentAI

Exploitation Requires that the Steeltoe `env` actuator endpoint is included in the actuator exposure list AND is reachable by the attacker AND is not protected by an ASP.NET authorization policy. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High) is plausible only when the `env` actuator is exposed without authentication - a known-bad but unfortunately common deployment pattern that mirrors the Spring Boot Actuator exposure issues seen historically. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker discovers a publicly reachable Steeltoe-based .NET service and issues a single GET request to `/actuator/env`, receiving a JSON document containing the application's full `ConnectionStrings:*` values with embedded SQL Server, PostgreSQL, or RabbitMQ credentials. The attacker pivots by connecting directly to the disclosed database or message broker using the harvested credentials. …
Remediation Vendor-released patch: upgrade Steeltoe.Management.Endpoint to 4.2.0 or Steeltoe.Management.EndpointCore to 3.4.0, which add `.*connectionstring.*` to the default sanitization list and introduce value-based scrubbing of embedded `Password=`/`Pwd=` pairs and URI userinfo (commits bef9f14b and e50cd31a). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit systems running Steeltoe.Management.Endpoint <4.2.0 or EndpointCore <3.4.0; restrict network access to /actuator/env endpoint using firewall, WAF, or network controls; immediately rotate all database connection credentials and embedded authentication secrets. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37811 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy