CVE-2026-50196
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk26th percentile — higher than 26% of all known CVEs
Summary
In Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0, the `DataCenterInfo.FromJson` method throws an `ArgumentException` for any `name` value other than 'MyOwn' or 'Amazon', leading to issues with service registry deserialization.
Risk Assessment
Organizations may experience availability issues with the local service registry, potentially causing application failures in the cloud. An empty or stale registry can impact the operation of dependent services.
Recommendation
It is recommended to upgrade to versions 4.2.0 or 3.4.0 to mitigate this vulnerability. If an upgrade is not possible, remove any registrations with unsupported `DataCenterInfo.name` values from the registry.
Original NVD description (English source)
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0, `DataCenterInfo.FromJson` throws `ArgumentException` for any `name` value other than `"MyOwn"` or `"Amazon"`, despite the Java Eureka specification defining a third valid value: `"Netflix"`. The exception propagates through the entire registry deserialization chain and is swallowed by the periodic cache refresh task, leaving the local service registry permanently empty or stale. Versions 4.2.0 and 3.4.0 patch the issue. If an immediate upgrade is not possible, remove any registrations using unsupported `DataCenterInfo.name` values from the registry. In mixed Java/Spring and Steeltoe environments, audit for the `Netflix` data center type before deploying Steeltoe Eureka clients.

