CVE-2026-50196

Source
https://cve.org/CVERecord?id=CVE-2026-50196
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50196.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-50196
Aliases
Published
2026-06-17T21:18:42.651Z
Modified
2026-07-08T08:12:35.242547989Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Steeltoe.Discovery.Eureka: Unrecognized DataCenterInfo.Name poisons entire registry fetch
Details

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Discovery.Eureka prior to versions 4.2.0 and 3.4.0, DataCenterInfo.FromJson throws ArgumentException for any name value other than "MyOwn" or "Amazon", despite the Java Eureka specification defining a third valid value: "Netflix". The exception propagates through the entire registry deserialization chain and is swallowed by the periodic cache refresh task, leaving the local service registry permanently empty or stale. Versions 4.2.0 and 3.4.0 patch the issue. If an immediate upgrade is not possible, remove any registrations using unsupported DataCenterInfo.name values from the registry. In mixed Java/Spring and Steeltoe environments, audit for the Netflix data center type before deploying Steeltoe Eureka clients.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50196.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20",
        "CWE-400"
    ]
}
References

Affected packages

Git / github.com/steeltoeoss/steeltoe

Affected ranges

Type
GIT
Repo
https://github.com/steeltoeoss/steeltoe
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.2.0"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "3.4.0"
        }
    ]
}

Affected versions

3.*
3.0.0
3.0.0-m1
3.0.0-m2
3.0.0-m3
3.0.0-rc1
3.0.1
3.0.2
3.0.x_2021-Jan-12
3.1.0
3.1.0-rc1
3.1.0-rc2
3.1.1
3.2.0
3.2.0-rc1
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5
3.2.6
3.2.7
3.2.8
3.3.0
4.*
4.0.0
4.0.0-beta1
4.0.0-rc1
4.1.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50196.json"