CVE-2026-58172 in Ocelot
Summary
by MITRE • 06/30/2026
Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs omits SecurityMiddleware, causing requests from blocked IP addresses to be proxied to downstream services without enforcement of the configured allow/block list.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/30/2026
This vulnerability resides within the Ocelot API gateway framework version 24.1.0 and earlier, where a critical security control bypass occurs due to improper middleware configuration during WebSocket upgrade request processing. The flaw specifically affects the MapWhen pipeline branch in OcelotPipelineExtensions.cs which handles WebSocket upgrade requests, creating an exploitable gap in the access control mechanism that allows unauthorized clients to bypass IP-based restrictions.
The technical implementation issue stems from the omission of SecurityMiddleware within the WebSocket upgrade pipeline branch, where the MapWhen configuration creates a separate execution path for WebSocket connections that bypasses the standard security enforcement mechanisms. This architectural oversight means that when a client attempts to establish a WebSocket connection, the request follows an alternative route through the pipeline that does not include the necessary IP filtering and access control checks that are normally applied to regular HTTP requests. The vulnerability is particularly dangerous because it operates at the gateway level where all incoming traffic should be subject to the same security policies regardless of the protocol being used.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it provides attackers with a potential entry point for bypassing network-level restrictions that are fundamental to API gateway security models. When IP-based allow/block lists are configured through Ocelot's configuration system, these rules become ineffective for WebSocket connections, potentially allowing malicious actors to establish connections from blocked IP addresses and subsequently access downstream services that should be restricted. This creates a scenario where the entire security posture of the gateway can be undermined through a single misconfiguration in the pipeline routing logic.
The vulnerability directly relates to CWE-693 Protection Mechanism Failure, as it represents a failure in maintaining consistent security controls across different request handling paths within the same application framework. It also aligns with ATT&CK technique T1071.004 Application Layer Protocol: Web Protocols where adversaries exploit weaknesses in protocol handling to bypass security controls. Organizations using Ocelot versions prior to the fix may experience unauthorized access to backend services that should be restricted based on IP address, potentially leading to data breaches, service disruption, or lateral movement within network environments.
Mitigation strategies should focus on upgrading to version 24.1.1 or later where the security control bypass has been addressed through proper middleware inclusion in all pipeline branches. Administrators should also implement additional monitoring and logging of WebSocket connections to detect unusual access patterns that might indicate exploitation attempts. Network-level controls such as firewall rules and intrusion detection systems can provide additional defense-in-depth layers, though the primary fix must address the root cause within the Ocelot framework itself. Organizations should conduct thorough security testing of their gateway configurations to ensure that all request paths properly enforce configured access control policies regardless of the protocol being used.