CVE-2026-58172
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk33th percentile — higher than 33% of all known CVEs
Summary
A vulnerability in Ocelot through version 24.1.0 (fixed in commit f156fd4) allows bypassing IP-based access controls by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs omits SecurityMiddleware, causing requests from blocked IP addresses to be proxied to downstream services without enforcing the allow/block list.
Risk Assessment
The organization may lose control over access to backend services, allowing attackers from blocked IP addresses to bypass security and access protected resources via WebSocket.
Recommendation
Immediately update Ocelot to a version containing commit f156fd4 or later, and verify the WebSocket pipeline configuration for the presence of SecurityMiddleware.
Original NVD description (English source)
Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs omits SecurityMiddleware, causing requests from blocked IP addresses to be proxied to downstream services without enforcement of the configured allow/block list.

