CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-50200

highCVSS 7.5covered by 1 sourcefirst seen 2026-07-02
Summary The Sanitizer component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (password, secret, key, token, .*credentials.*, vcap_services) does not cover the standard .NET pattern ConnectionStrings:<name> or Steeltoe Connectors' Steeltoe:Client:<type>:Default:ConnectionString. There is no value-based scrubbing, so full connection string values including embedded Password= and user:pass@host segments are returned verbatim in /actuator/env responses. Impact Any caller who can reach /actuator/env can receive connection strings containing plaintext credentials. Those credentials enable direct connection to the backing database, bypassing the application tier. Affected configuration - Application configuration contains credentials in ConnectionStrings:* or *:ConnectionString keys. - On standard deployments: env is added to Management:Endpoints:Actuator:Exposure:Include. This is not the default. - On Cloud Foundry: the /cloudfoundryapplication/env path is accessible to any authenticated CF user with read_basic_data permissions (Space Auditor and above) regardless of the exposure configuration. Mitigations If an immediate upgrade is not possible: - On the standard path, remove env from the actuator exposure list. - Add .*connectionstring.* to KeysToSanitize as a defense-in-depth measure for both paths. - Require authorization on actuator endpoints.

⚡ Watch CVE-2026-50200

Get an email if CVE-2026-50200 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-50200

CVE.org record

Embed the live status

CVE-2026-50200 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-50200 status](https://www.csirts.com/badge/CVE-2026-50200)](https://www.csirts.com/cve/CVE-2026-50200)