Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3214 vulnerabilities reference this CWE, most recent first.

GHSA-5679-7QRC-5M7J

Vulnerability from github – Published: 2020-04-29 16:31 – Updated: 2021-09-02 18:48
VLAI
Summary
IDOR can reveal execution data and logs to unauthorized user in Rundeck
Details

Impact

Authenticated users can craft a request that reveals Execution data and logs and Job details that they are not authorized to see.

Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this is not really much of an issue. If access is wider and allows login for users that do not have access to any projects, or project access is restricted, there is a larger issue. If access is meant to be restricted and secrets, sensitive data, or intellectual property are exposed in Rundeck execution output and job data, the risk becomes much higher.

Details

An authenticated user could craft a request to:

  • View Executions and download execution logs without access to read or view the associated Job, or ad-hoc resource.
  • Get the list of running executions in a project, without Event read access, if they have read access to view the project.
  • View the Options definitions of a Job without access to view the Job.
  • View the definition of a workflow step of a Job without access to view the Job.
  • View the SCM diff of a modified Job definition if SCM is enabled, without Project export access level.
  • View the New User Profile Form for a different username, without User admin access. Note: they would not be allowed to create or modify a profile for a different user, or reveal any user profile information for a different user.

Some authenticated API requests were not correctly checking appropriate authorization levels:

  • The list of running Executions would be sent without read access to Events.
  • The Plugin Input Parameters for a SCM plugin would be sent without authorization for project import,scm_import,export, or scm_export actions.
  • Job Retry action could retry an execution without read or view access to the Execution, which would reveal the Execution's option values. (run access to the Job was still required).

Patches

Upgrade to Rundeck version 3.2.6

Workarounds

None

References

3.2.6 Release Notes

Report

If you have any questions or comments about this advisory: * Email us at security@rundeck.com

To report security issues to Rundeck please use the form at http://rundeck.com/security

Reporter: Justine Osborne of Apple Information Security

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.rundeck:rundeck"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-11009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-04-29T16:30:45Z",
    "nvd_published_at": "2020-04-29T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nAuthenticated users can craft a request that reveals Execution data and logs  and Job details that they are not authorized to see.\n\n\u003e Depending on the configuration and the way that Rundeck is used, this could result in anything between a high severity risk, or a very low risk. If access is tightly restricted and all users on the system have access to all projects, this is not really much of an issue. If access is wider and allows login for users that do not have access to any projects, or project access is restricted, there is a larger issue. If access is meant to be restricted and secrets, sensitive data, or intellectual property are exposed in Rundeck execution output and job data, the risk becomes much higher.\n\n### Details\n\nAn authenticated user could craft a request to:\n\n* View Executions and download execution logs without access to `read` or `view` the associated Job, or ad-hoc resource.\n* Get the list of running executions in a project, without Event `read` access, if they have `read` access to view the project.\n* View the Options definitions of a Job without access to view the Job.\n* View the definition of a workflow step of a Job without access to view the Job.\n* View the SCM diff of a modified Job definition if SCM is enabled, without Project `export` access level.\n* View the New User Profile Form for a different username, without User `admin` access. Note: they would not be allowed to create or modify a profile for a different user, or reveal any user profile information for a different user.\n\nSome authenticated API requests were not correctly checking appropriate authorization levels:\n\n* The list of running Executions would be sent without `read` access to Events.\n* The Plugin Input Parameters for a SCM plugin would be sent without authorization for project `import`,`scm_import`,`export`, or `scm_export` actions.\n* Job Retry action could retry an execution without `read` or `view` access to the Execution, which would reveal the Execution\u0027s option values. (`run` access to the Job was still required).\n\n### Patches\nUpgrade to Rundeck version 3.2.6\n\n### Workarounds\nNone\n\n### References\n[3.2.6 Release Notes](https://docs.rundeck.com/docs/history/3_2_x/version-3.2.6.html)\n\n### Report\nIf you have any questions or comments about this advisory:\n* Email us at [security@rundeck.com](mailto:security@rundeck.com)\n\nTo report security issues to Rundeck please use the form at [http://rundeck.com/security](http://rundeck.com/security)\n\nReporter: Justine Osborne of Apple Information Security",
  "id": "GHSA-5679-7qrc-5m7j",
  "modified": "2021-09-02T18:48:11Z",
  "published": "2020-04-29T16:31:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rundeck/rundeck/security/advisories/GHSA-5679-7qrc-5m7j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11009"
    },
    {
      "type": "WEB",
      "url": "https://docs.rundeck.com/docs/history/3_2_x/version-3.2.6.html"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rundeck/rundeck"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "IDOR can reveal execution data and logs to unauthorized user in Rundeck"
}

GHSA-56RF-V7JX-HXGF

Vulnerability from github – Published: 2025-12-31 15:30 – Updated: 2026-04-01 18:36
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through 2.0.9.9.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-63053"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-31T15:15:54Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Jewel Theme Master Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Master Addons for Elementor: from n/a through 2.0.9.9.4.",
  "id": "GHSA-56rf-v7jx-hxgf",
  "modified": "2026-04-01T18:36:27Z",
  "published": "2025-12-31T15:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63053"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/master-addons/vulnerability/wordpress-master-addons-for-elementor-plugin-2-0-9-9-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/wordpress/plugin/master-addons/vulnerability/wordpress-master-addons-for-elementor-plugin-2-0-9-9-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-572Q-472R-V8M3

Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-27 00:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-47555"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T17:15:54Z",
    "severity": "HIGH"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through \u003c= 3.9.4.",
  "id": "GHSA-572q-472r-v8m3",
  "modified": "2026-01-27T00:31:09Z",
  "published": "2026-01-22T18:30:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47555"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-576J-7QWW-F874

Vulnerability from github – Published: 2026-05-14 06:31 – Updated: 2026-05-14 06:31
VLAI
Details

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with Guest permissions to view issues in projects they were not authorized to access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-13874"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-14T06:16:20Z",
    "severity": "MODERATE"
  },
  "details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with Guest permissions to view issues in projects they were not authorized to access.",
  "id": "GHSA-576j-7qww-f874",
  "modified": "2026-05-14T06:31:32Z",
  "published": "2026-05-14T06:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13874"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3445398"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/582634"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-578W-C832-XRGC

Vulnerability from github – Published: 2024-10-31 06:30 – Updated: 2024-10-31 06:30
VLAI
Details

The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.36.0 via the submit_quizzes() function due to missing validation on the 'entry_id' user controlled key. This makes it possible for unauthenticated attackers to modify other user's quiz submissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-9700"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-31T06:15:05Z",
    "severity": "MODERATE"
  },
  "details": "The Forminator Forms \u2013 Contact Form, Payment Form \u0026 Custom Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.36.0 via the submit_quizzes() function due to missing validation on the \u0027entry_id\u0027 user controlled key. This makes it possible for unauthenticated attackers to modify other user\u0027s quiz submissions.",
  "id": "GHSA-578w-c832-xrgc",
  "modified": "2024-10-31T06:30:45Z",
  "published": "2024-10-31T06:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9700"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/forminator/tags/1.35.1/library/modules/quizzes/front/front-action.php#L548"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3172942"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fbed35ca-1630-46a4-8b1f-60cc7216f294?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-57C3-9RJJ-44M5

Vulnerability from github – Published: 2023-07-12 06:30 – Updated: 2024-04-04 06:01
VLAI
Details

The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with with existing account access at any level, to change user passwords and potentially take over administrator accounts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-3105"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-12T05:15:10Z",
    "severity": "HIGH"
  },
  "details": "The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with with existing account access at any level, to change user passwords and potentially take over administrator accounts.",
  "id": "GHSA-57c3-9rjj-44m5",
  "modified": "2024-04-04T06:01:36Z",
  "published": "2023-07-12T06:30:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3105"
    },
    {
      "type": "WEB",
      "url": "https://www.learndash.com/release-notes"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2318b3e1-268d-45fa-83bf-c6e88f1b9013?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-57C8-XJXF-CQC2

Vulnerability from github – Published: 2026-04-08 09:31 – Updated: 2026-04-08 09:31
VLAI
Details

The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4654"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-08T08:16:24Z",
    "severity": "MODERATE"
  },
  "details": "The Awesome Support \u2013 WordPress HelpDesk \u0026 Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter.",
  "id": "GHSA-57c8-xjxf-cqc2",
  "modified": "2026-04-08T09:31:31Z",
  "published": "2026-04-08T09:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4654"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.7/includes/functions-post.php#L1823"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/awesome-support/tags/6.3.7/includes/functions-post.php#L1851"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-post.php#L1823"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-post.php#L1851"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3497662%40awesome-support\u0026new=3497662%40awesome-support\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f9015fa-b3f0-4312-8acd-02b715e26f33?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-57P3-67R2-VWM7

Vulnerability from github – Published: 2025-04-25 15:31 – Updated: 2025-04-25 15:31
VLAI
Details

A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students and prevent them from logging into their accounts, even after they had completed two-factor authentication (2FA).

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-3625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-25T15:15:36Z",
    "severity": "HIGH"
  },
  "details": "A security vulnerability was discovered in Moodle that can allow hackers to gain access to sensitive information about students and prevent them from logging into their accounts, even after they had completed two-factor authentication (2FA).",
  "id": "GHSA-57p3-67r2-vwm7",
  "modified": "2025-04-25T15:31:22Z",
  "published": "2025-04-25T15:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3625"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2025-3625"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2359690"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-57Q4-65MF-59MF

Vulnerability from github – Published: 2026-05-14 06:31 – Updated: 2026-05-14 06:31
VLAI
Details

GitLab has remediated an issue in GitLab EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user with developer-role permissions to remove code owner approval rules from merge requests due to improper access control.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-6063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-14T06:16:24Z",
    "severity": "MODERATE"
  },
  "details": "GitLab has remediated an issue in GitLab EE affecting all versions from 11.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that under certain conditions could have allowed an authenticated user with developer-role permissions to remove code owner approval rules from merge requests due to improper access control.",
  "id": "GHSA-57q4-65mf-59mf",
  "modified": "2026-05-14T06:31:33Z",
  "published": "2026-05-14T06:31:33Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6063"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/3649087"
    },
    {
      "type": "WEB",
      "url": "https://about.gitlab.com/releases/2026/05/13/patch-release-gitlab-18-11-3-released"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/596332"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-58F6-6RJ2-3V8R

Vulnerability from github – Published: 2026-07-02 20:29 – Updated: 2026-07-02 20:29
VLAI
Summary
Steeltoe vulnerable to management-port isolation bypass via spoofed Host header
Details

Summary

When Steeltoe management endpoints are configured to listen on an alternate port (Management:Endpoints:Port is configured), the middleware responsible for restricting access to the endpoints uses the Host HTTP header rather than the actual network socket port.

Impact

An unauthenticated remote attacker can reach every actuator endpoint using a specially crafted HTTP request.

Affected configuration

  • The application's public port is accessible over from the network.
  • Management:Endpoints:Port is configured to a value different from the application's main listener port.
  • The request scheme matches Management:Endpoints:SslEnabled. For example, http when SslEnabled is false (the default), or https when SslEnabled is true.

Mitigations

If an immediate upgrade to a patched version is not possible:

  • Add explicit ASP.NET Core authorization (RequireAuthorization) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation.
  • Configure the reverse proxy or load balancer to enforce the Host header value and prevent clients from setting an arbitrary port.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Steeltoe.Management.Endpoint"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.3.0"
      },
      "package": {
        "ecosystem": "NuGet",
        "name": "Steeltoe.Management.EndpointCore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.2.2"
            },
            {
              "fixed": "3.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50194"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T20:29:13Z",
    "nvd_published_at": "2026-06-17T22:16:23Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nWhen Steeltoe management endpoints are configured to listen on an alternate port (`Management:Endpoints:Port` is configured), the middleware responsible for restricting access to the endpoints uses the `Host` HTTP header rather than the actual network socket port. \n\n### Impact\n\nAn unauthenticated remote attacker can reach every actuator endpoint using a specially crafted HTTP request.\n\n### Affected configuration\n\n- The application\u0027s public port is accessible over from the network.\n- `Management:Endpoints:Port` is configured to a value different from the application\u0027s main listener port.\n- The request scheme matches `Management:Endpoints:SslEnabled`. For example, `http` when `SslEnabled` is `false` (the default), or `https` when `SslEnabled` is `true`.\n\n### Mitigations\n\nIf an immediate upgrade to a patched version is not possible:\n\n- Add explicit ASP.NET Core authorization (`RequireAuthorization`) to all sensitive actuator endpoints as a defense-in-depth measure independent of port isolation.\n- Configure the reverse proxy or load balancer to enforce the `Host` header value and prevent clients from setting an arbitrary port.",
  "id": "GHSA-58f6-6rj2-3v8r",
  "modified": "2026-07-02T20:29:13Z",
  "published": "2026-07-02T20:29:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-58f6-6rj2-3v8r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50194"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SteeltoeOSS/Steeltoe/commit/4cbc352fe89ac2e6c609554e435ab28996fec5e9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SteeltoeOSS/Steeltoe/commit/b7ca93c510aaa08d7e4ebec40ce20c5811c2c4b6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SteeltoeOSS/steeltoe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Steeltoe vulnerable to management-port isolation bypass via spoofed Host header"
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.