Description
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, all Steeltoe actuator endpoints default to `EndpointPermissions.Restricted`, which is mappeds to Cloud Foundry's `read_basic_data` permission (granted to Space Auditors and similar low-trust roles). Sensitive actuators including heap dump, environment, and thread dump do not raise this to `EndpointPermissions.Full`, so CF's `read_sensitive_data` permission flag is not enforced for those endpoints. Spring Boot's equivalent Cloud Foundry integration gates these endpoints with `read_sensitive_data` by default. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible, explicitly set `RequiredPermissions = EndpointPermissions.Full` in the options for `HeapDumpEndpointOptions`, `EnvironmentEndpointOptions`, and `ThreadDumpEndpointOptions`; and/or if heap dump, thread dump, or environment are not needed in production, register only the required actuators individually instead of using `AddAllActuators()`.
Published: 2026-06-17
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because Steeltoe actuator endpoints default to a low‑trust permission level that permits access to sensitive data. When the application is configured to expose all actuators, users with only basic read access, such as Cloud Foundry space auditors, can retrieve sensitive information such as heap dumps, environment variables, and thread dumps. This results in a confidentiality breach where confidential application state is disclosed without proper authorization.

Affected Systems

The issue affects the SteeltoeOSS Steeltoe.Management.Endpoint package for versions earlier than 4.2.0 and the Steeltoe.Management.EndpointCore package for versions earlier than 3.4.0. Any .NET application that incorporates these packages and either uses AddAllActuators() or relies on the default endpoint registration is vulnerable. The problem is specific to the Steeltoe OSS library ecosystem.

Risk and Exploitability

The CVSS score of 6.5 classifies the issue as medium severity. The EPSS score of less than 1% indicates low likelihood of exploitation, and the vulnerability is not listed in CISA KEV. Based on the description, it is inferred that an attacker could reach the actuator endpoints over HTTP, likely through a publicly exposed service or an internal network. If such access is possible, sending a request to /actuator/heapdump, /actuator/env, or /actuator/threaddump, under a user with default Restricted permission, would return sensitive data. No advanced privileges are required, making the attack straightforward.

Generated by OpenCVE AI on June 18, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Steeltoe.Management.Endpoint to version 4.2.0 or newer, or upgrade Steeltoe.Management.EndpointCore to 3.4.0 or newer.
  • If an upgrade is not immediately possible, configure each of the problematic endpoints to require full permissions by setting RequiredPermissions = EndpointPermissions.Full in your application options for HeapDumpEndpointOptions, EnvironmentEndpointOptions, and ThreadDumpEndpointOptions.
  • Avoid exposing all actuators in production by removing AddAllActuators() and registering only the actuators that are truly required.

Generated by OpenCVE AI on June 18, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, all Steeltoe actuator endpoints default to `EndpointPermissions.Restricted`, which is mappeds to Cloud Foundry's `read_basic_data` permission (granted to Space Auditors and similar low-trust roles). Sensitive actuators including heap dump, environment, and thread dump do not raise this to `EndpointPermissions.Full`, so CF's `read_sensitive_data` permission flag is not enforced for those endpoints. Spring Boot's equivalent Cloud Foundry integration gates these endpoints with `read_sensitive_data` by default. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible, explicitly set `RequiredPermissions = EndpointPermissions.Full` in the options for `HeapDumpEndpointOptions`, `EnvironmentEndpointOptions`, and `ThreadDumpEndpointOptions`; and/or if heap dump, thread dump, or environment are not needed in production, register only the required actuators individually instead of using `AddAllActuators()`.
Title Steeltoe's sensitive actuators (heapdump/env) only require Restricted permission
Weaknesses CWE-269
CWE-285
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T12:51:12.653Z

Reserved: 2026-06-03T22:05:13.645Z

Link: CVE-2026-50201

cve-icon Vulnrichment

Updated: 2026-06-18T12:51:02.238Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:15Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-285

    Improper Authorization