Skip to content
Threat Feed

Vendor

Steeltoe

3 briefs RSS
high advisory

Steeltoe Host Header Bypass Vulnerability (CVE-2026-50194)

An unauthenticated remote attacker can bypass port isolation in Steeltoe applications configured with `Management:Endpoints:Port` by spoofing the Host HTTP header, allowing access to all actuator endpoints (CVE-2026-50194).

Steeltoe.Management.Endpoint <= 4.1.0 +1 vulnerability web-exploitation cve dotnet bypass
1r 2t 1c
medium advisory

Steeltoe.Discovery.Eureka Deserialization Denial-of-Service (CVE-2026-50196)

The Steeltoe.Discovery.Eureka client contains a vulnerability (CVE-2026-50196) where its `DataCenterInfo.FromJson` method throws an `ArgumentException` if a `DataCenterInfo.name` value other than 'MyOwn' or 'Amazon' is encountered, specifically missing the valid 'Netflix' value from the Java Eureka specification, which causes the local service registry to become permanently empty or stale, leading to a complete service discovery outage for all connected Steeltoe Eureka clients.

Steeltoe.Discovery.Eureka +1 vulnerability service-discovery .net java denial-of-service
1c
high advisory

Steeltoe Environment Actuator Vulnerability (CVE-2026-50200) Leaks Database Passwords

A high-severity vulnerability, CVE-2026-50200, in the Steeltoe `Sanitizer` component of the Environment actuator allows for the unintended disclosure of sensitive connection string values, including embedded plaintext credentials, when the `/actuator/env` endpoint is accessed, enabling direct database connection and bypassing application-tier security.

Steeltoe.Management.Endpoint <= 4.1.0 +1 credential-access vulnerability .net steeltoe webserver actuator
1r 1t 1c