CVE-2026-50201
Steeltoe's sensitive actuators (heapdump/env) only require Restricted permission
Description
### Summary All Steeltoe actuator endpoints default to `EndpointPermissions.Restricted`, which is mapped to Cloud Foundry's `read_basic_data` permission (granted to Space Auditors and similar low-trust roles). Sensitive actuators including heap dump, environment, and thread dump do not raise this to `EndpointPermissions.Full`, so CF's `read_sensitive_data` permission flag is not enforced for those endpoints. Spring Boot's equivalent Cloud Foundry integration gates these endpoints with `read_sensitive_data` by default. ### Impact Any CF user holding Space Auditor, Space Manager, or Org Auditor role can access the heap dump, environment, and thread dump actuators for any Steeltoe application in their space. A heap dump contains all in-memory data including database passwords, bearer tokens, and VCAP_SERVICES credentials. CF's `read_sensitive_data` permission, which is specifically designed to gate this access, has no effect. ### Affected configuration - Application is deployed on Cloud Foundry with CF actuator and security middleware active (added automatically by `AddAllActuators()` when a CF environment is detected). - The attacker holds a CF role that grants `read_basic_data`: Space Auditor, Space Manager, or Org Auditor. ### Mitigations If an immediate upgrade is not possible: - Explicitly set `RequiredPermissions = EndpointPermissions.Full` in the options for `HeapDumpEndpointOptions`, `EnvironmentEndpointOptions`, and `ThreadDumpEndpointOptions`. - If heap dump, thread dump, or environment are not needed in production, register only the required actuators individually instead of using `AddAllActuators()`.
How to fix CVE-2026-50201
To remediate CVE-2026-50201, upgrade the affected package to a fixed version below.
- —upgrade to 4.2.0 or later
- —upgrade to 3.4.0 or later
Is CVE-2026-50201 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-50201.