{"id":"CVE-2026-50194","summary":"Steeltoe vulnerable to management-port isolation bypass via spoofed Host header","details":"Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. When Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 are configured to listen on an alternate port (`Management:Endpoints:Port` is configured), the middleware responsible for restricting access to the endpoints uses the `Host` HTTP header rather than the actual network socket port. Versions 3.4.0 and 4.2.0 patch the issue. If an immediate upgrade to a patched version is not possible, add explicit ASP.NET Core authorization (`RequireAuthorization`) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation and/or configure the reverse proxy or load balancer to enforce the `Host` header value and prevent clients from setting an arbitrary port.","aliases":["GHSA-58f6-6rj2-3v8r"],"modified":"2026-07-08T08:05:47.574035801Z","published":"2026-06-17T21:03:26.756Z","database_specific":{"cwe_ids":["CWE-288","CWE-639"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50194.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50194.json"},{"type":"ADVISORY","url":"https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-58f6-6rj2-3v8r"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-50194"},{"type":"FIX","url":"https://github.com/SteeltoeOSS/Steeltoe/commit/4cbc352fe89ac2e6c609554e435ab28996fec5e9"},{"type":"FIX","url":"https://github.com/SteeltoeOSS/Steeltoe/commit/b7ca93c510aaa08d7e4ebec40ce20c5811c2c4b6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/steeltoeoss/steeltoe","events":[{"introduced":"97dabffecebd9ddf46d70503b036ccf5c08e9217"},{"fixed":"29ffc807093682330a3e35961d3e7b8c4049e422"},{"fixed":"4cbc352fe89ac2e6c609554e435ab28996fec5e9"},{"fixed":"b7ca93c510aaa08d7e4ebec40ce20c5811c2c4b6"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"3.2.2"},{"fixed":"3.3.0"}]}}],"versions":["3.3.0","3.2.8","3.2.7","3.2.6","3.2.5","3.2.4","3.2.3","3.2.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50194.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}]}