The Sanitizer component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list (password, secret, key, token, .*credentials.*, vcap_services) does not cover the standard .NET pattern ConnectionStrings:<name> or Steeltoe Connectors' Steeltoe:Client:<type>:Default:ConnectionString. There is no value-based scrubbing, so full connection string values including embedded Password= and user:pass@host segments are returned verbatim in /actuator/env responses.
Any caller who can reach /actuator/env can receive connection strings containing plaintext credentials. Those credentials enable direct connection to the backing database, bypassing the application tier.
ConnectionStrings:* or *:ConnectionString keys.env is added to Management:Endpoints:Actuator:Exposure:Include. This is not the default./cloudfoundryapplication/env path is accessible to any authenticated CF user with read_basic_data permissions (Space Auditor and above) regardless of the exposure configuration.If an immediate upgrade is not possible:
env from the actuator exposure list..*connectionstring.* to KeysToSanitize as a defense-in-depth measure for both paths.{
"github_reviewed_at": "2026-07-02T20:31:11Z",
"nvd_published_at": "2026-06-17T22:16:24Z",
"github_reviewed": true,
"cwe_ids": [
"CWE-200",
"CWE-319"
],
"severity": "HIGH"
}