HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-50194Published Modified CNA GitHub_M

CVE-2026-50194: Steeltoe vulnerable to management-port isolation bypass via spoofed Host header

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. When Steeltoe management endpoints versions 3.2.2 through 3.3.0 and 4.1.0 are configured to listen on an alternate port (`Management:Endpoints:Port` is configured), the middleware responsible for restricting access to the endpoints uses the `Host` HTTP header rather than the actual network socket port. Versions 3.4.0 and 4.2.0 patch the issue. If an immediate upgrade to a patched version is not possible, add explicit ASP.NET Core authorization (`RequireAuthorization`) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation and/or configure the reverse proxy or load balancer to enforce the `Host` header value and prevent clients from setting an arbitrary port.

Metrics

CVSS v3.1
8.2
Severity
HIGH
Fixed in
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an authentication bypass affecting Steeltoe management endpoint middleware (versions 3.2.2 through 3.3.0 and 4.1.0). The middleware that enforces port-based isolation reads the HTTP Host header instead of the actual network socket port, so a remote attacker with no credentials can send a spoofed Host header over the network and reach management actuator endpoints that were intended to be restricted to an alternate port. Successful exploitation lets an attacker read sensitive management data and make limited modifications to application state. No upstream fix versions have been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as one is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-50194 is ingested from upstream advisory feeds within minutes of publication and matched against all scanned images, including custom-built images that bundle Steeltoe.Management.Endpoint or Steeltoe.Management.EndpointCore. Any image carrying an affected version range is flagged automatically.

Available
Triage

Triage capability is available with the full CVSS v3.1 score of 8.2 (HIGH), surfaced alongside each affected image so teams can prioritize accordingly. Per-environment compliance policy weighting is applied during triage, and findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix version exists for CVE-2026-50194, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment Steeltoe publishes versions 3.4.0 or 4.2.0 to supported package feeds. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads, with no manual trigger required.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Steeltoe application over the network; no local or physical access is required.

  • AuthenticationNot required

    No credentials or account are needed; the spoofed Host header can be sent by any unauthenticated HTTP client.

  • Victim interactionNot required

    Exploitation is fully attacker-driven and requires no action from a user or administrator.

  • Attack complexityDetail

    Attack complexity is low; the exploit is a straightforward header substitution with no race conditions or special environmental factors required.

Blast Radius

  • An attacker reads responses from management actuator endpoints, which can expose environment variables, configuration values, health-check internals, and in-memory metrics.
  • An attacker makes low-privilege writes to actuator endpoints that accept POST or DELETE requests, such as toggling log levels or refreshing configuration bindings.
  • Internal service topology and dependency details visible through actuator endpoints can be harvested to plan further lateral movement within the deployment.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked continuously with no action required from customers. Because no patched version of Steeltoe.Management.Endpoint or Steeltoe.Management.EndpointCore has been published, HarborGuard re-checks the upstream advisory on every ingest cycle. The moment versions 3.4.0 or 4.2.0 appear in supported package feeds, a patched-image rebuild becomes available automatically. For customers with auto-remediation enabled, that rebuild triggers a regression test run and a PR opened against affected workloads. While waiting for an upstream fix, compensating controls worth considering include: adding explicit ASP.NET Core authorization (RequireAuthorization) to all sensitive actuator endpoints so that port isolation is not the only enforcement layer; configuring the reverse proxy or load balancer to validate and rewrite the Host header so clients cannot set an arbitrary port value; and applying network policy to restrict ingress to management ports at the infrastructure level, limiting which source IPs or namespaces can reach those ports at all.

See how HarborGuard automates this
Affected packages
  • SteeltoeOSS / Steeltoe.Management.Endpoint
    < 4.2.0
  • SteeltoeOSS / Steeltoe.Management.EndpointCore
    >= 3.2.2, < 3.4.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
References