CVE-2026-50200
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
In versions prior to 4.2.0 of Steeltoe.Management.Endpoint and 3.4.0 of Steeltoe.Management.EndpointCore, the `Sanitizer` component improperly masks configuration values, allowing full connection strings to be exposed in `/actuator/env` responses. The default suffix list does not cover the standard .NET pattern `ConnectionStrings:<name>` or `Steeltoe:Client:<type>:Default:ConnectionString`.
Risk Assessment
The exposure of full connection strings may lead to the leakage of sensitive information such as passwords and credentials, posing a serious security threat to the application and the organization's data.
Recommendation
Immediate upgrade to version 4.2.0 or 3.4.0 is recommended. If an upgrade is not possible, remove `env` from the actuator exposure list and add `.*connectionstring.*` to `KeysToSanitize` as a defense-in-depth measure.
Original NVD description (English source)
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the `Sanitizer` component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (`password`, `secret`, `key`, `token`, `.*credentials.*`, `vcap_services`) does not cover the standard .NET pattern `ConnectionStrings:<name>` or Steeltoe Connectors' `Steeltoe:Client:<type>:Default:ConnectionString`. There is no value-based scrubbing, so full connection string values including embedded `Password=` and `user:pass@host` segments are returned verbatim in `/actuator/env` responses. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible: On the standard path, remove `env` from the actuator exposure list; add `.*connectionstring.*` to `KeysToSanitize` as a defense-in-depth measure for both paths; and/or require authorization on actuator endpoints.

