CVE Catalog

CVE-2026-50201

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile — higher than 14% of all known CVEs

Summary

Steeltoe prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0 have all actuator endpoints defaulting to `EndpointPermissions.Restricted`, which may lead to unauthorized access to sensitive data. Sensitive endpoints such as heap dump, environment, and thread dump are not properly secured.

Risk Assessment

Organizations may be exposed to sensitive data leaks as endpoints do not require full permissions for reading sensitive data. This could lead to privacy and security breaches in applications.

Recommendation

It is recommended to upgrade to Steeltoe.Management.Endpoint 4.2.0 or Steeltoe.Management.EndpointCore 3.4.0. If an upgrade is not possible, set `RequiredPermissions = EndpointPermissions.Full` for the relevant endpoint options or register only the required actuators individually.

Original NVD description (English source)

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, all Steeltoe actuator endpoints default to `EndpointPermissions.Restricted`, which is mappeds to Cloud Foundry's `read_basic_data` permission (granted to Space Auditors and similar low-trust roles). Sensitive actuators including heap dump, environment, and thread dump do not raise this to `EndpointPermissions.Full`, so CF's `read_sensitive_data` permission flag is not enforced for those endpoints. Spring Boot's equivalent Cloud Foundry integration gates these endpoints with `read_sensitive_data` by default. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible, explicitly set `RequiredPermissions = EndpointPermissions.Full` in the options for `HeapDumpEndpointOptions`, `EnvironmentEndpointOptions`, and `ThreadDumpEndpointOptions`; and/or if heap dump, thread dump, or environment are not needed in production, register only the required actuators individually instead of using `AddAllActuators()`.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS