Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated remote bypass triggered by simply using a WebSocket upgrade (PR:N, AC:L, AV:N); exposes downstream confidentiality and integrity (C:H/I:H), with availability unaffected (A:N).
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs omits SecurityMiddleware, causing requests from blocked IP addresses to be proxied to downstream services without enforcement of the configured allow/block list.
AnalysisAI
IP-based access control bypass in ThreeMammals Ocelot (a .NET API Gateway) through 24.1.0 lets denied or non-allowlisted clients reach protected downstream services by sending a WebSocket upgrade request instead of a plain HTTP request. The WebSocket pipeline branch, split off via MapWhen in OcelotPipelineExtensions.cs, never invokes SecurityMiddleware, so the configured IPAllowedList/IPBlockedList is silently skipped for upgrade traffic. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitable only when a route or global config defines Ocelot SecurityOptions with an IPAllowedList or IPBlockedList AND the targeted route is reachable through a WebSocket upgrade (HTTP Upgrade: websocket, or a ws/wss DownstreamScheme route). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 base score of 9.3 (AV:N/AC:L/AT:N/PR:N/UI:N, VC:H/VI:H) reflects unauthenticated, low-complexity, remote bypass of a security control with high confidentiality and integrity impact on downstream services. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker whose source IP is on the gateway's IPBlockedList (or simply not on the IPAllowedList) is rejected with 403 on normal HTTP calls to a protected route. They instead open a WebSocket connection (ws://gateway/proxy/...) to the same route; because the upgrade branch skips SecurityMiddleware, Ocelot proxies the connection straight to the downstream service. … |
| Remediation | Upgrade to the Ocelot release that includes commit f156fd4 (PR #2406), which adds SecurityMiddleware to the WebSocket upgrade pipeline branch; the fix is confirmed by the vendor commit and acceptance tests, though a specific tagged NuGet release number was not provided in the input - verify the next published version above 24.1.0 against the commit before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: (1) Identify all production and non-production Ocelot instances running version 24.1.0 or earlier; (2) audit access logs for WebSocket upgrade (GET with 'Upgrade: websocket' header) requests to protected services; (3) catalog downstream systems relying solely on IP-based access control. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40353
GHSA-wc9q-87f2-4983