GHSA-58f6-6rj2-3v8r: Steeltoe vulnerable to management-port isolation bypass via spoofed Host header
Summary
When Steeltoe management endpoints are configured to listen on an alternate port (Management:Endpoints:Port is configured), the middleware responsible for restricting access to the endpoints uses the Host HTTP header rather than the actual network socket port.
Impact
An unauthenticated remote attacker can reach every actuator endpoint using a specially crafted HTTP request.
Affected configuration
- The application's public port is accessible over from the network.
- Management:Endpoints:Port is configured to a value different from the application's main listener port.
- The request scheme matches Management:Endpoints:SslEnabled. For example, http when SslEnabled is false (the default), or https when SslEnabled is true.
Mitigations
If an immediate upgrade to a patched version is not possible:
- Add explicit ASP.NET Core authorization (RequireAuthorization) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation.
- Configure the reverse proxy or load balancer to enforce the Host header value and prevent clients from setting an arbitrary port.
Details
Original advisory: https://github.com/advisories/GHSA-58f6-6rj2-3v8r
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-501940.24% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 15% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-50194 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10