CVE-2026-50196
Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch
描述
### Summary `DataCenterInfo.FromJson` throws `ArgumentException` for any `name` value other than `"MyOwn"` or `"Amazon"`, despite the Java Eureka specification defining a third valid value: `"Netflix"`. The exception propagates through the entire registry deserialization chain and is swallowed by the periodic cache refresh task, leaving the local service registry permanently empty or stale. ### Impact Any registration with an unrecognized `DataCenterInfo.name` permanently disables service discovery for every Steeltoe Eureka client connected to the same registry. New clients start with an empty registry and running clients stop refreshing. The outage persists until the triggering registration is removed. Because `"Netflix"` is valid in the Java Eureka specification, a Java or Spring service in the same mesh can trigger this unintentionally. ### Affected configuration - Application uses the Steeltoe Eureka client (`EurekaDiscoveryClient`). - The registry contains at least one registration with a `DataCenterInfo.name` value other than `"MyOwn"` or `"Amazon"`. ### Mitigations If an immediate upgrade is not possible, remove any registrations using unsupported `DataCenterInfo.name` values from the registry. In mixed Java/Spring and Steeltoe environments, audit for the `Netflix` data center type before deploying Steeltoe Eureka clients.
如何修補 CVE-2026-50196
要修補 CVE-2026-50196,請將受影響套件升級到下列已修補版本。
- —升級至 4.2.0 或更新版本
CVE-2026-50196 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-50196 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- >= 4.0.0, < 4.2.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |