CVE Catalog

CVE-2026-50267

MediumCVSS 4.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.07%

0th percentile — higher than 0% of all known CVEs

Summary

In Steeltoe.Configuration.Abstractions versions 4.0.0 through 4.1.0, TLS credentials are written to temporary files that are world-readable on Linux. These files are never deleted, creating a risk of sensitive information exposure.

Risk Assessment

Organizations may be exposed to credential leaks, potentially leading to unauthorized access to MySQL or PostgreSQL databases. This could result in serious security implications for applications and data.

Recommendation

It is recommended to immediately upgrade to version 4.2.0 or later. If an upgrade is not possible, prevent access to `/tmp` for other processes running in the container under a different UID.

Original NVD description (English source)

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Abstractions 4.0.0 through 4.1.0, when MySQL or PostgreSQL service bindings from `VCAP_SERVICES` include TLS client credentials, the Connectors library writes those credentials to temporary files in `Path.GetTempPath()` using `File.CreateText`. On Linux, `File.CreateText` creates files with mode `0644` (world-readable) under the process umask, and the files are never deleted. The same key material is protected at mode `0400` in `/proc/<pid>/environ`. Steeltoe.Configuration.Abstractions version 4.2.0 patches the issue. If an immediate upgrade is not possible, prevent other processes from running in the container under a different UID with access to `/tmp`.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS