<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Steeltoe - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/steeltoe/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:22:21 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/steeltoe/feed.xml" rel="self" type="application/rss+xml"/><item><title>Steeltoe Environment Actuator Vulnerability (CVE-2026-50200) Leaks Database Passwords</title><link>https://feed.craftedsignal.io/briefs/2026-07-steeltoe-env-sanitizer-leak/</link><pubDate>Fri, 03 Jul 2026 11:22:21 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-steeltoe-env-sanitizer-leak/</guid><description>A high-severity vulnerability, CVE-2026-50200, in the Steeltoe `Sanitizer` component of the Environment actuator allows for the unintended disclosure of sensitive connection string values, including embedded plaintext credentials, when the `/actuator/env` endpoint is accessed, enabling direct database connection and bypassing application-tier security.</description><content:encoded><![CDATA[<p>A significant vulnerability, identified as CVE-2026-50200, affects the <code>Sanitizer</code> component within the Environment actuator of Steeltoe applications, specifically <code>Steeltoe.Management.Endpoint</code> versions <code>&lt;= 4.1.0</code> and <code>Steeltoe.Management.EndpointCore</code> versions <code>&lt;= 3.3.0</code>. This flaw allows sensitive connection string details, including embedded plaintext passwords and user credentials, to be exposed verbatim when the <code>/actuator/env</code> endpoint is accessed. The default sanitization rules fail to cover standard .NET <code>ConnectionStrings:&lt;name&gt;</code> or Steeltoe Connectors' <code>Steeltoe:Client:&lt;type&gt;:Default:ConnectionString</code> patterns. This means that if <code>env</code> is exposed in <code>Management:Endpoints:Actuator:Exposure:Include</code> on standard deployments, or if accessed by an authenticated Cloud Foundry user with <code>read_basic_data</code> permissions via <code>/cloudfoundryapplication/env</code>, an attacker can retrieve critical database credentials, leading to direct access to backend databases and circumventing application-level security controls.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker conducts reconnaissance to identify a publicly accessible or internally exposed Steeltoe application endpoint, specifically targeting <code>/actuator/env</code> or <code>/cloudfoundryapplication/env</code>.</li>
<li>The attacker sends an unauthenticated (if publicly exposed) or authenticated (if Cloud Foundry with <code>read_basic_data</code> permissions) HTTP GET request to the identified <code>/actuator/env</code> or <code>/cloudfoundryapplication/env</code> endpoint.</li>
<li>The Steeltoe application's Environment actuator processes the request to display environment properties.</li>
<li>Due to the flaw in the <code>Sanitizer</code> component (CVE-2026-50200), configuration keys such as <code>ConnectionStrings:&lt;name&gt;</code> or <code>*:ConnectionString</code> are not properly redacted.</li>
<li>The application returns the full, unsanitized connection string values, which include plaintext credentials like <code>Password=</code> or <code>user:pass@host</code>, in the HTTP response body.</li>
<li>The attacker extracts these sensitive database credentials from the response.</li>
<li>Using the obtained credentials, the attacker establishes a direct connection to the backend database.</li>
<li>The attacker can then perform data exfiltration, manipulation, or further persistence actions on the database, bypassing the application layer.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Organizations running vulnerable Steeltoe applications are at high risk of credential compromise and direct database access. If successfully exploited, this vulnerability allows attackers to retrieve plaintext database credentials from the <code>/actuator/env</code> endpoint. This direct access to databases, such as SQL Server, PostgreSQL, or MySQL, can lead to severe consequences including unauthorized data exfiltration, data tampering, service disruption, and potential lateral movement within the network. The scope of impact is broad, affecting any organization utilizing Steeltoe where the actuator environment endpoint is exposed, either intentionally or inadvertently, without proper sanitization or authorization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade <code>nuget/Steeltoe.Management.Endpoint</code> to version <code>4.1.1</code> or later, and <code>nuget/Steeltoe.Management.EndpointCore</code> to version <code>3.3.1</code> or later, to patch CVE-2026-50200.</li>
<li>If immediate upgrade is not possible, remove <code>env</code> from <code>Management:Endpoints:Actuator:Exposure:Include</code> in your application configuration to prevent access via the standard path.</li>
<li>As a defense-in-depth measure, add <code>.*connectionstring.*</code> to the <code>KeysToSanitize</code> list in your Steeltoe configuration to ensure these patterns are redacted.</li>
<li>Enforce strong authorization on all actuator endpoints to limit access to trusted personnel and systems, as described in the brief's attack chain.</li>
<li>Deploy the <code>Detects CVE-2026-50200 Exploitation - Access to Steeltoe /actuator/env</code> Sigma rule to your SIEM and tune for legitimate access patterns.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>credential-access</category><category>vulnerability</category><category>.net</category><category>steeltoe</category><category>webserver</category><category>actuator</category></item></channel></rss>