GHSA-58f6-6rj2-3v8r
Steeltoe vulnerable to management-port isolation bypass via spoofed Host header
Details
### Summary
When Steeltoe management endpoints are configured to listen on an alternate port (`Management:Endpoints:Port` is configured), the middleware responsible for restricting access to the endpoints uses the `Host` HTTP header rather than the actual network socket port.
### Impact
An unauthenticated remote attacker can reach every actuator endpoint using a specially crafted HTTP request.
### Affected configuration
- The application's public port is accessible over from the network. - `Management:Endpoints:Port` is configured to a value different from the application's main listener port. - The request scheme matches `Management:Endpoints:SslEnabled`. For example, `http` when `SslEnabled` is `false` (the default), or `https` when `SslEnabled` is `true`.
### Mitigations
If an immediate upgrade to a patched version is not possible:
- Add explicit ASP.NET Core authorization (`RequireAuthorization`) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation. - Configure the reverse proxy or load balancer to enforce the `Host` header value and prevent clients from setting an arbitrary port.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 4.2.0 dotnet add package Steeltoe.Management.Endpoint --version 4.2.0 3.2.2 Fixed in: 3.4.0 dotnet add package Steeltoe.Management.EndpointCore --version 3.4.0 References
- https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-58f6-6rj2-3v8r [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-50194 [ADVISORY]
- https://github.com/SteeltoeOSS/Steeltoe/commit/4cbc352fe89ac2e6c609554e435ab28996fec5e9 [WEB]
- https://github.com/SteeltoeOSS/Steeltoe/commit/b7ca93c510aaa08d7e4ebec40ce20c5811c2c4b6 [WEB]
- https://github.com/SteeltoeOSS/steeltoe [PACKAGE]