Back to overview

CVE-2026-50196

HIGH
7.5
CVSS 3.1
Description
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0, `DataCenterInfo.FromJson` throws `ArgumentException` for any `name` value other than `"MyOwn"` or `"Amazon"`, despite the Java Eureka specification defining a third valid value: `"Netflix"`. The exception propagates through the entire registry deserialization chain and is swallowed by the periodic cache refresh task, leaving the local service registry permanently empty or stale. Versions 4.2.0 and 3.4.0 patch the issue. If an immediate upgrade is not possible, remove any registrations using unsupported `DataCenterInfo.name` values from the registry. In mixed Java/Spring and Steeltoe environments, audit for the `Netflix` data center type before deploying Steeltoe Eureka clients.

Metadata

CVE ID
CVE-2026-50196
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-03 22:05 UTC
Published
2026-06-17 21:18 UTC
Last updated
2026-06-17 21:18 UTC
Primary CWE
CWE-20
CWE-20: Improper Input Validation
Vendor / Product
SteeltoeOSS / Steeltoe.Discovery.Eureka
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products (1)
VendorProductPlatformVersions
SteeltoeOSS Steeltoe.Discovery.Eureka >= 4.0.0, < 4.2.0, < 3.4.0
Weakness (CWE)
CWESourceDescription
CWE-20 cna CWE-20: Improper Input Validation
CWE-400 cna CWE-400: Uncontrolled Resource Consumption
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References (3)
Back to overview