HIGH 8.2 NuGet
Steeltoe vulnerable to management-port isolation bypass via spoofed Host header
GHSA-58f6-6rj2-3v8r · CVE-2026-50194
Published · Modified
Description
Summary
When Steeltoe management endpoints are configured to listen on an alternate port (Management:Endpoints:Port is configured), the middleware responsible for restricting access to the endpoints uses the Host HTTP header rather than the actual network socket port.
Impact
An unauthenticated remote attacker can reach every actuator endpoint using a specially crafted HTTP request.
Affected configuration
- The application's public port is accessible over from the network.
Management:Endpoints:Portis configured to a value different from the application's main listener port.- The request scheme matches
Management:Endpoints:SslEnabled. For example,httpwhenSslEnabledisfalse(the default), orhttpswhenSslEnabledistrue.
Mitigations
If an immediate upgrade to a patched version is not possible:
- Add explicit ASP.NET Core authorization (
RequireAuthorization) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation. - Configure the reverse proxy or load balancer to enforce the
Hostheader value and prevent clients from setting an arbitrary port.
References
- WEB https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-58f6-6rj2-3v8r
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-50194
- WEB https://github.com/SteeltoeOSS/Steeltoe/commit/4cbc352fe89ac2e6c609554e435ab28996fec5e9
- WEB https://github.com/SteeltoeOSS/Steeltoe/commit/b7ca93c510aaa08d7e4ebec40ce20c5811c2c4b6
- PACKAGE https://github.com/SteeltoeOSS/steeltoe
Ready to move
Start Securing
Free, no credit card | First findings in minutes