{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/steeltoe.management.endpointcore--3.2.2--3.3.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-50194"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Steeltoe.Management.Endpoint \u003c= 4.1.0","Steeltoe.Management.EndpointCore \u003e= 3.2.2, \u003c= 3.3.0"],"_cs_severities":["high"],"_cs_tags":["vulnerability","web-exploitation","cve","dotnet","bypass"],"_cs_type":"advisory","_cs_vendors":["Steeltoe"],"content_html":"\u003cp\u003eA critical vulnerability (CVE-2026-50194) in Steeltoe applications allows unauthenticated remote attackers to bypass port isolation for management endpoints. This flaw affects configurations where \u003ccode\u003eManagement:Endpoints:Port\u003c/code\u003e is explicitly set to a port different from the application's primary listener. The middleware, intended to restrict access, incorrectly relies on the \u003ccode\u003eHost\u003c/code\u003e HTTP header rather than the actual network socket port. By crafting a request with a spoofed \u003ccode\u003eHost\u003c/code\u003e header specifying the management port, attackers can trick the application into granting access to all actuator endpoints. This enables unauthorized control, information disclosure, and potential configuration manipulation, making it a high-severity concern for organizations using vulnerable Steeltoe versions, specifically \u003ccode\u003eSteeltoe.Management.Endpoint\u003c/code\u003e up to 4.1.0 and \u003ccode\u003eSteeltoe.Management.EndpointCore\u003c/code\u003e versions between 3.2.2 and 3.3.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a publicly accessible Steeltoe application that is likely using management endpoints.\u003c/li\u003e\n\u003cli\u003eThe target Steeltoe application is configured with \u003ccode\u003eManagement:Endpoints:Port\u003c/code\u003e set to a port different from its main listener (e.g., application on 80/443, management on 8080).\u003c/li\u003e\n\u003cli\u003eAttacker crafts an HTTP request targeting the application's main listener port, typically 80 or 443.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a spoofed \u003ccode\u003eHost\u003c/code\u003e HTTP header, setting its value to the application's domain combined with the configured \u003ccode\u003eManagement:Endpoints:Port\u003c/code\u003e (e.g., \u003ccode\u003eHost: example.com:8080\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request scheme (HTTP/HTTPS) matches the \u003ccode\u003eManagement:Endpoints:SslEnabled\u003c/code\u003e setting of the application.\u003c/li\u003e\n\u003cli\u003eThe Steeltoe middleware, upon receiving the request, evaluates the \u003ccode\u003eHost\u003c/code\u003e header for port isolation rather than the actual socket port the request arrived on.\u003c/li\u003e\n\u003cli\u003eThe spoofed \u003ccode\u003eHost\u003c/code\u003e header causes the middleware to erroneously permit access as if the request originated on the designated management port.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthenticated access to all management actuator endpoints (e.g., \u003ccode\u003e/actuator/health\u003c/code\u003e, \u003ccode\u003e/actuator/env\u003c/code\u003e), enabling information disclosure or potential configuration changes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-50194 grants unauthenticated remote attackers full access to Steeltoe's management actuator endpoints. This can lead to severe consequences, including sensitive information disclosure (e.g., environment variables, application configuration), arbitrary configuration modifications, and potentially remote code execution if certain actuators are exposed and misconfigured. While no specific victim count has been reported, any organization deploying Steeltoe applications with the described vulnerable configuration is at risk. The ease of exploitation via a simple HTTP header manipulation makes this a high-risk vulnerability for data exposure and unauthorized system control.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade \u003ccode\u003eSteeltoe.Management.Endpoint\u003c/code\u003e to version 4.1.1 or higher, and \u003ccode\u003eSteeltoe.Management.EndpointCore\u003c/code\u003e to version 3.3.1 or higher, to address CVE-2026-50194.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM, tuning \u003ccode\u003ecs-host\u003c/code\u003e to match your expected application domain and monitoring for \u003ccode\u003ecs-uri-stem\u003c/code\u003e containing \u003ccode\u003e/actuator/\u003c/code\u003e with unexpected port values in the \u003ccode\u003eHost\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eImplement explicit ASP.NET Core authorization (\u003ccode\u003eRequireAuthorization\u003c/code\u003e) on all sensitive actuator endpoints as a defense-in-depth measure, as recommended by the Steeltoe advisory.\u003c/li\u003e\n\u003cli\u003eConfigure reverse proxies or load balancers in front of Steeltoe applications to strictly enforce expected \u003ccode\u003eHost\u003c/code\u003e header values, preventing clients from specifying arbitrary ports.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:24:19Z","date_published":"2026-07-03T11:24:19Z","id":"https://feed.craftedsignal.io/briefs/2026-07-steeltoe-host-header-bypass/","summary":"An unauthenticated remote attacker can bypass port isolation in Steeltoe applications configured with `Management:Endpoints:Port` by spoofing the Host HTTP header, allowing access to all actuator endpoints (CVE-2026-50194).","title":"Steeltoe Host Header Bypass Vulnerability (CVE-2026-50194)","url":"https://feed.craftedsignal.io/briefs/2026-07-steeltoe-host-header-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Steeltoe.Management.EndpointCore \u003e= 3.2.2, \u003c= 3.3.0","version":"https://jsonfeed.org/version/1.1"}