HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-58172Published Modified CNA VulnCheck

CVE-2026-58172: Ocelot - IP Allow/Block List Bypass for WebSocket Upgrade Requests

Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs omits SecurityMiddleware, causing requests from blocked IP addresses to be proxied to downstream services without enforcement of the configured allow/block list.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
f156fd4017ca25025fffdad8ec56c1d657dfb402
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a security control bypass vulnerability in Ocelot, the open-source .NET API gateway, affecting versions through 24.1.0. An unauthenticated attacker reachable over the network can send a WebSocket upgrade request to bypass IP-based allow/block list enforcement entirely, because the WebSocket pipeline branch omits the SecurityMiddleware that enforces those rules. Successful exploitation lets a blocked client reach downstream services as if the access restriction were never configured. A patched-image rebuild at commit f156fd4017ca25025fffdad8ec56c1d657dfb402 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-58172 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Ocelot as a dependency.

Available
Triage

HarborGuard scores this finding at CVSS 9.3 Critical and applies per-environment compliance policy weighting to determine urgency before routing the alert to the appropriate team inbox inside each customer organization.

Available
Patch

A patched-image rebuild pinned to the fix commit f156fd4017ca25025fffdad8ec56c1d657dfb402 is available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Ocelot API gateway over the network to send a crafted WebSocket upgrade request.

  • AuthenticationNot required

    No credentials or account of any kind are needed; the bypass is exploitable by any unauthenticated client.

  • Victim interactionNot required

    No victim action is required; the attacker sends the malicious request directly without any user involvement.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, memory layout dependencies, or special environmental factors are needed to trigger the bypass.

Blast Radius

  • The attacker reads responses from downstream services that the IP block list was intended to deny access to, including any data those services expose.
  • The attacker sends arbitrary writes or mutations to downstream services, modifying application state, stored records, or configuration that those services accept from trusted callers.
  • Any downstream service reachable through Ocelot's WebSocket routing is exposed, meaning the blast radius grows with the number of upstream services behind the gateway.

How HarborGuard Handles This

Available on HarborGuard: images containing Ocelot at or below version 24.1.0 are flagged automatically when the CVE is ingested, with no manual scan trigger required. A rebuild at the fix commit (f156fd4017ca25025fffdad8ec56c1d657dfb402) is queued as soon as an affected image is identified. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs regression checks, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with the fix commit pinned and ready. Because WebSocket traffic may bypass logging at the gateway layer, security teams should also consider adding network-policy rules to restrict direct downstream access as a compensating control until the patched image is deployed.

See how HarborGuard automates this

Fix available

f156fd4017ca25025fffdad8ec56c1d657dfb402
Patch commits
Affected packages
  • ThreeMammals / Ocelot
    ≤ 24.1.0
    Fixed in f156fd4017ca25025fffdad8ec56c1d657dfb402
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References