Skip to main content

Ocelot EUVDEUVD-2026-40353

| CVE-2026-58172 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-06-30 VulnCheck GHSA-wc9q-87f2-4983
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Unauthenticated remote bypass triggered by simply using a WebSocket upgrade (PR:N, AC:L, AV:N); exposes downstream confidentiality and integrity (C:H/I:H), with availability unaffected (A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Source Code Evidence Fetched
Jun 30, 2026 - 17:30 vuln.today
Analysis Updated
Jun 30, 2026 - 17:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 17:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 17:22 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 17:22 NVD
9.1 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Jun 30, 2026 - 17:18 vuln.today

DescriptionCVE.org

Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs omits SecurityMiddleware, causing requests from blocked IP addresses to be proxied to downstream services without enforcement of the configured allow/block list.

AnalysisAI

IP-based access control bypass in ThreeMammals Ocelot (a .NET API Gateway) through 24.1.0 lets denied or non-allowlisted clients reach protected downstream services by sending a WebSocket upgrade request instead of a plain HTTP request. The WebSocket pipeline branch, split off via MapWhen in OcelotPipelineExtensions.cs, never invokes SecurityMiddleware, so the configured IPAllowedList/IPBlockedList is silently skipped for upgrade traffic. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Ocelot gateway enforcing IP allow/block list
Delivery
Send WebSocket upgrade request to protected route
Exploit
MapWhen branch skips SecurityMiddleware
Execution
Request proxied to downstream service
Impact
Access otherwise-restricted resources

Vulnerability AssessmentAI

Exploitation Exploitable only when a route or global config defines Ocelot SecurityOptions with an IPAllowedList or IPBlockedList AND the targeted route is reachable through a WebSocket upgrade (HTTP Upgrade: websocket, or a ws/wss DownstreamScheme route). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 base score of 9.3 (AV:N/AC:L/AT:N/PR:N/UI:N, VC:H/VI:H) reflects unauthenticated, low-complexity, remote bypass of a security control with high confidentiality and integrity impact on downstream services. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker whose source IP is on the gateway's IPBlockedList (or simply not on the IPAllowedList) is rejected with 403 on normal HTTP calls to a protected route. They instead open a WebSocket connection (ws://gateway/proxy/...) to the same route; because the upgrade branch skips SecurityMiddleware, Ocelot proxies the connection straight to the downstream service. …
Remediation Upgrade to the Ocelot release that includes commit f156fd4 (PR #2406), which adds SecurityMiddleware to the WebSocket upgrade pipeline branch; the fix is confirmed by the vendor commit and acceptance tests, though a specific tagged NuGet release number was not provided in the input - verify the next published version above 24.1.0 against the commit before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: (1) Identify all production and non-production Ocelot instances running version 24.1.0 or earlier; (2) audit access logs for WebSocket upgrade (GET with 'Upgrade: websocket' header) requests to protected services; (3) catalog downstream systems relying solely on IP-based access control. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40353 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy