CVE-2026-50201
Steeltoe's sensitive actuators (heapdump/env) only require Restricted permission
描述
### Summary All Steeltoe actuator endpoints default to `EndpointPermissions.Restricted`, which is mapped to Cloud Foundry's `read_basic_data` permission (granted to Space Auditors and similar low-trust roles). Sensitive actuators including heap dump, environment, and thread dump do not raise this to `EndpointPermissions.Full`, so CF's `read_sensitive_data` permission flag is not enforced for those endpoints. Spring Boot's equivalent Cloud Foundry integration gates these endpoints with `read_sensitive_data` by default. ### Impact Any CF user holding Space Auditor, Space Manager, or Org Auditor role can access the heap dump, environment, and thread dump actuators for any Steeltoe application in their space. A heap dump contains all in-memory data including database passwords, bearer tokens, and VCAP_SERVICES credentials. CF's `read_sensitive_data` permission, which is specifically designed to gate this access, has no effect. ### Affected configuration - Application is deployed on Cloud Foundry with CF actuator and security middleware active (added automatically by `AddAllActuators()` when a CF environment is detected). - The attacker holds a CF role that grants `read_basic_data`: Space Auditor, Space Manager, or Org Auditor. ### Mitigations If an immediate upgrade is not possible: - Explicitly set `RequiredPermissions = EndpointPermissions.Full` in the options for `HeapDumpEndpointOptions`, `EnvironmentEndpointOptions`, and `ThreadDumpEndpointOptions`. - If heap dump, thread dump, or environment are not needed in production, register only the required actuators individually instead of using `AddAllActuators()`.
如何修補 CVE-2026-50201
要修補 CVE-2026-50201,請將受影響套件升級到下列已修補版本。
- —升級至 4.2.0 或更新版本
- —升級至 3.4.0 或更新版本
CVE-2026-50201 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-50201 既不在 CISA KEV 也沒有最新的 EPSS 分數。