CVE-2026-50200: Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the `Sanitizer` component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (`password`, `secret`, `key`, `token`, `.*credentials.*`, `vcap_services`) does not cover the standard .NET pattern `ConnectionStrings:<name>` or Steeltoe Connectors' `Steeltoe:Client:<type>:Default:ConnectionString`. There is no value-based scrubbing, so full connection string values including embedded `Password=` and `user:pass@host` segments are returned verbatim in `/actuator/env` responses. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible: On the standard path, remove `env` from the actuator exposure list; add `.*connectionstring.*` to `KeysToSanitize` as a defense-in-depth measure for both paths; and/or require authorization on actuator endpoints.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 2
HarborGuard Analysis
Synopsis
This is an information-disclosure vulnerability in Steeltoe's Environment actuator, affecting Steeltoe.Management.Endpoint before 4.2.0 and Steeltoe.Management.EndpointCore before 3.4.0. The actuator's sanitizer component strips secrets by matching configuration key names against a suffix list, but the list does not cover the standard .NET ConnectionStrings pattern or Steeltoe Connectors' connection string keys, so full connection string values, including embedded passwords and user credentials, are returned verbatim in unauthenticated HTTP responses to the /actuator/env endpoint. Any network-reachable attacker with no credentials can read database passwords and other secrets embedded in connection strings. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream publishes a fix.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle the affected Steeltoe assemblies. Any image containing a vulnerable version of Steeltoe.Management.Endpoint or Steeltoe.Management.EndpointCore is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS 7.5 (HIGH) and surfaces it with that severity weighting applied against each customer's compliance policy. Triage alerts are routed to the team or inbox configured in each organization's notification settings, so the right people see it without manual filtering.
AvailableBecause no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Steeltoe.Management.Endpoint 4.2.0 or Steeltoe.Management.EndpointCore 3.4.0 is confirmed upstream. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a PR against affected workloads will be opened automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the application's actuator HTTP endpoint over the network; no local access is needed.
- AuthenticationNot required
No credentials are required; the /actuator/env endpoint returns sensitive values to any unauthenticated HTTP request.
- Victim interactionNot required
Exploitation is fully passive and requires no action from any user or operator of the target application.
- Attack complexityDetail
The exploit is a straightforward HTTP GET request with no race conditions or special environmental prerequisites; it is reliable and condition-free.
Blast Radius
- An attacker reads full database connection strings, including embedded passwords in Password= and user:pass@host formats, from the /actuator/env HTTP response.
- Any service credential stored as a .NET ConnectionStrings entry or a Steeltoe Connectors connection string key is exposed verbatim, potentially covering multiple downstream databases or message brokers.
- Leaked credentials can be reused directly against the referenced database or service hosts, enabling unauthorized data access beyond the application itself.
How HarborGuard Handles This
Available on HarborGuard: any image containing a vulnerable version of Steeltoe.Management.Endpoint (below 4.2.0) or Steeltoe.Management.EndpointCore (below 3.4.0) is flagged as HIGH severity within minutes of the CVE being ingested. Because no upstream fix is published yet, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically once Steeltoe ships versions 4.2.0 or 3.4.0. For customers with auto-remediation enabled, the rebuild, regression run, and PR flow will trigger without manual intervention at that point. In the interim, HarborGuard's policy engine can be used to enforce compensating controls: remove the env actuator from the exposure list in your application configuration, add .*connectionstring.* to the KeysToSanitize list as a defense-in-depth measure, and apply network policies that restrict unauthenticated access to actuator endpoints. These controls can be codified as policy checks and flagged in HarborGuard if images or associated manifests show configurations that contradict them.
- SteeltoeOSS / Steeltoe.Management.Endpoint< 4.2.0
- SteeltoeOSS / Steeltoe.Management.EndpointCore< 3.4.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N