Skip to main content

Ocelot

1 CVEs product

Monthly

CVE-2026-58172 CRITICAL POC PATCH Act Now

IP-based access control bypass in ThreeMammals Ocelot (a .NET API Gateway) through 24.1.0 lets denied or non-allowlisted clients reach protected downstream services by sending a WebSocket upgrade request instead of a plain HTTP request. The WebSocket pipeline branch, split off via MapWhen in OcelotPipelineExtensions.cs, never invokes SecurityMiddleware, so the configured IPAllowedList/IPBlockedList is silently skipped for upgrade traffic. Publicly available exploit code exists (VulnCheck advisory plus a reproducer in PR #2406), though there is no public exploit identified as actively exploited at time of analysis.

Authentication Bypass Ocelot
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
EPSS 0% CVSS 9.3
CRITICAL POC PATCH Act Now

IP-based access control bypass in ThreeMammals Ocelot (a .NET API Gateway) through 24.1.0 lets denied or non-allowlisted clients reach protected downstream services by sending a WebSocket upgrade request instead of a plain HTTP request. The WebSocket pipeline branch, split off via MapWhen in OcelotPipelineExtensions.cs, never invokes SecurityMiddleware, so the configured IPAllowedList/IPBlockedList is silently skipped for upgrade traffic. Publicly available exploit code exists (VulnCheck advisory plus a reproducer in PR #2406), though there is no public exploit identified as actively exploited at time of analysis.

Authentication Bypass Ocelot
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy