HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-50196Published Modified CNA GitHub_M

CVE-2026-50196: Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0, `DataCenterInfo.FromJson` throws `ArgumentException` for any `name` value other than `"MyOwn"` or `"Amazon"`, despite the Java Eureka specification defining a third valid value: `"Netflix"`. The exception propagates through the entire registry deserialization chain and is swallowed by the periodic cache refresh task, leaving the local service registry permanently empty or stale. Versions 4.2.0 and 3.4.0 patch the issue. If an immediate upgrade is not possible, remove any registrations using unsupported `DataCenterInfo.name` values from the registry. In mixed Java/Spring and Steeltoe environments, audit for the `Netflix` data center type before deploying Steeltoe Eureka clients.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in Steeltoe.Discovery.Eureka, the .NET Eureka service-discovery client. An attacker reachable over the network, with no authentication required, can register a service using the valid but unhandled DataCenterInfo name value "Netflix", which causes the affected client's entire registry deserialization to throw an unhandled exception and silently empty the local service registry. Successful exploitation leaves the target Steeltoe Eureka client permanently blind to all registered services, disrupting routing and inter-service communication. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as fix versions 4.2.0 or 3.4.0 are published upstream.

HarborGuard Coverage

Detection

Detection of CVE-2026-50196 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Steeltoe.Discovery.Eureka in any affected version range. Any image containing a Steeltoe.Discovery.Eureka package between 4.0.0 and 4.2.0 exclusive, or below 3.4.0, is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights it against each customer environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix versions have been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment versions 4.2.0 or 3.4.0 appear upstream. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Eureka server over the network to inject a registration with an unsupported DataCenterInfo name value.

  • AuthenticationNot required

    No credentials or account are needed to register a service entry with the Eureka server.

  • Victim interactionNot required

    No user or operator action is required; the poisoned registry entry is consumed automatically by the periodic cache refresh task.

  • Attack complexityDetail

    The exploit is reliable and condition-free: injecting a "Netflix" DataCenterInfo name value consistently triggers the exception on every cache refresh cycle.

Blast Radius

  • The affected Steeltoe Eureka client's local service registry is permanently emptied or left stale, preventing it from resolving any downstream service addresses.
  • All inter-service calls that rely on the Eureka registry for endpoint discovery fail, effectively isolating the affected application from the rest of the service mesh.
  • The exception is silently swallowed by the refresh task, so the outage is invisible in normal application logs without explicit monitoring of the Eureka client cache.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-50196, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment Steeltoe.Discovery.Eureka 4.2.0 or 3.4.0 is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically without manual intervention. In the interim, consider the following compensating controls where compliance policy permits: apply network-policy rules to restrict which clients can register entries with the Eureka server, audit mixed Java/Spring and Steeltoe environments for any service registered with the "Netflix" DataCenterInfo name value and remove those registrations, and add alerting on empty or unexpectedly stale Eureka cache snapshots so that silent failures are surfaced promptly.

See how HarborGuard automates this
Affected packages
  • SteeltoeOSS / Steeltoe.Discovery.Eureka
    >= 4.0.0, < 4.2.0 · < 3.4.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References