{"document":{"category":"csaf_vex","csaf_version":"2.0","title":"CVE-2026-50200: Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords","publisher":{"category":"vendor","name":"HarborGuard Database","namespace":"https://database.harborguard.co"},"tracking":{"id":"CVE-2026-50200","status":"final","version":"1","initial_release_date":"2026-06-17T21:44:21.586Z","current_release_date":"2026-06-17T21:44:21.586Z","revision_history":[{"date":"2026-06-17T21:44:21.586Z","number":"1","summary":"Initial machine-readable export from HarborGuard."}]},"distribution":{"tlp":{"label":"WHITE"},"text":"Public CVE data; freely redistributable."},"notes":[{"category":"description","text":"Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the `Sanitizer` component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (`password`, `secret`, `key`, `token`, `.*credentials.*`, `vcap_services`) does not cover the standard .NET pattern `ConnectionStrings:<name>` or Steeltoe Connectors' `Steeltoe:Client:<type>:Default:ConnectionString`. There is no value-based scrubbing, so full connection string values including embedded `Password=` and `user:pass@host` segments are returned verbatim in `/actuator/env` responses. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible: On the standard path, remove `env` from the actuator exposure list; add `.*connectionstring.*` to `KeysToSanitize` as a defense-in-depth measure for both paths; and/or require authorization on actuator endpoints.","title":"CVE description"}],"references":[{"category":"self","summary":"CVE-2026-50200 on HarborGuard Database","url":"https://database.harborguard.co/cve/CVE-2026-50200"},{"category":"external","summary":"CVE Record","url":"https://www.cve.org/CVERecord?id=CVE-2026-50200"},{"category":"external","summary":"https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-q62h-354g-5r85","url":"https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-q62h-354g-5r85"},{"category":"external","summary":"https://github.com/SteeltoeOSS/Steeltoe/commit/bef9f14b710232fca3fbe87e48fdd1b9e6b60d43","url":"https://github.com/SteeltoeOSS/Steeltoe/commit/bef9f14b710232fca3fbe87e48fdd1b9e6b60d43"},{"category":"external","summary":"https://github.com/SteeltoeOSS/Steeltoe/commit/e50cd31a429b191841120f0d38fa9dda8f751b0a","url":"https://github.com/SteeltoeOSS/Steeltoe/commit/e50cd31a429b191841120f0d38fa9dda8f751b0a"}]},"product_tree":{"branches":[{"category":"vendor","name":"SteeltoeOSS","branches":[{"category":"product_name","name":"Steeltoe.Management.Endpoint","branches":[{"category":"product_version","name":"< 4.2.0","product":{"name":"SteeltoeOSS Steeltoe.Management.Endpoint < 4.2.0","product_id":"CSAFPID-1","product_identification_helper":{"cpe":"cpe:2.3:a:steeltoeoss:steeltoe.management.endpoint:\\<_4.2.0:*:*:*:*:*:*:*"}}}]}]},{"category":"vendor","name":"SteeltoeOSS","branches":[{"category":"product_name","name":"Steeltoe.Management.EndpointCore","branches":[{"category":"product_version","name":"< 3.4.0","product":{"name":"SteeltoeOSS Steeltoe.Management.EndpointCore < 3.4.0","product_id":"CSAFPID-2","product_identification_helper":{"cpe":"cpe:2.3:a:steeltoeoss:steeltoe.management.endpointcore:\\<_3.4.0:*:*:*:*:*:*:*"}}}]}]}]},"vulnerabilities":[{"cve":"CVE-2026-50200","title":"Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords","notes":[{"category":"description","text":"Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the `Sanitizer` component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (`password`, `secret`, `key`, `token`, `.*credentials.*`, `vcap_services`) does not cover the standard .NET pattern `ConnectionStrings:<name>` or Steeltoe Connectors' `Steeltoe:Client:<type>:Default:ConnectionString`. There is no value-based scrubbing, so full connection string values including embedded `Password=` and `user:pass@host` segments are returned verbatim in `/actuator/env` responses. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible: On the standard path, remove `env` from the actuator exposure list; add `.*connectionstring.*` to `KeysToSanitize` as a defense-in-depth measure for both paths; and/or require authorization on actuator endpoints.","title":"CVE description"}],"product_status":{"known_affected":["CSAFPID-1","CSAFPID-2"]},"scores":[{"cvss_v3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH"},"products":["CSAFPID-1","CSAFPID-2"]}],"remediations":[{"category":"none_available","details":"No fixed version is published yet. Monitor the upstream advisory.","product_ids":["CSAFPID-1","CSAFPID-2"]}]}]}