CVE-2026-50200
Steeltoe's env sanitizer misses connection strings — leaks embedded DB passwords
Description
### Summary The `Sanitizer` component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (`password`, `secret`, `key`, `token`, `.*credentials.*`, `vcap_services`) does not cover the standard .NET pattern `ConnectionStrings:<name>` or Steeltoe Connectors' `Steeltoe:Client:<type>:Default:ConnectionString`. There is no value-based scrubbing, so full connection string values including embedded `Password=` and `user:pass@host` segments are returned verbatim in `/actuator/env` responses. ### Impact Any caller who can reach `/actuator/env` can receive connection strings containing plaintext credentials. Those credentials enable direct connection to the backing database, bypassing the application tier. ### Affected configuration - Application configuration contains credentials in `ConnectionStrings:*` or `*:ConnectionString` keys. - On standard deployments: `env` is added to `Management:Endpoints:Actuator:Exposure:Include`. This is not the default. - On Cloud Foundry: the `/cloudfoundryapplication/env` path is accessible to any authenticated CF user with `read_basic_data` permissions (Space Auditor and above) regardless of the exposure configuration. ### Mitigations If an immediate upgrade is not possible: - On the standard path, remove `env` from the actuator exposure list. - Add `.*connectionstring.*` to `KeysToSanitize` as a defense-in-depth measure for both paths. - Require authorization on actuator endpoints.
How to fix CVE-2026-50200
To remediate CVE-2026-50200, upgrade the affected package to a fixed version below.
- —upgrade to 4.2.0 or later
- —upgrade to 3.4.0 or later
Is CVE-2026-50200 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-50200.