Steeltoe actuator port isolation bypass via spoofed Host header (CVSS 8.2)
CVE-2026-50194 — Steeltoe's management-endpoint middleware uses the HTTP `Host` header to determine whether a request is on the management port, rather than the actual TCP socket. When `Management:Endpoints:Port` is configured and the public port is network-reachable, an unauthenticated attacker can reach every actuator (heap dump, env, thread dump) by sending a crafted Host header. Companion advisories cover env-sanitizer leaks and sensitive-actuator permissions.
Same lesson pattern as prior Spring Boot Actuator bugs: never trust HTTP headers for network-topology decisions. If you run Steeltoe .NET services in Kubernetes, patch and enforce actuator isolation at the NetworkPolicy or ingress level, not the app config.