A critical security control bypass in the Ocelot API gateway lets denied clients evade IP-based access restrictions by sending WebSocket upgrade requests.
What Is It
CVE-2026-58172 is a security control bypass (CWE-288, Authentication Bypass Using an Alternate Path) in ThreeMammals' Ocelot, an open-source .NET API gateway. The WebSocket upgrade pipeline branch, configured via MapWhen in OcelotPipelineExtensions.cs, omits SecurityMiddleware. As a result, WebSocket upgrade requests skip enforcement of the configured allow/block list, and traffic from blocked IP addresses is proxied to downstream services. The flaw affects Ocelot through version 24.1.0.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 9.1 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N; the secondary CVSS 4.0 score is 9.3. It is network-exploitable at low attack complexity, requires no privileges and no user interaction, and yields high confidentiality and integrity impact. Any IP-based access restriction, a core defense for gateways fronting internal services, can be circumvented simply by issuing a WebSocket upgrade request, exposing downstream services that operators believe are shielded.
What's Vulnerable
- Vendor: ThreeMammals
- Product: Ocelot API gateway
- Affected versions: All releases up to and including 24.1.0
- Condition: Deployments relying on Ocelot's IP allow/block list for access control
The supplied data lists no affected CPEs. Deployments that do not configure IP-based allow/block enforcement are outside the scope of this specific bypass.
Patch Status
The issue is fixed in commit f156fd4017ca25025fffdad8ec56c1d657dfb402, which restores security enforcement on the WebSocket upgrade path. Operators should upgrade to a build containing this fix (delivered via pull request #2406). No CISA KEV entry was supplied for this CVE, so there is no confirmation of active exploitation or an associated required-action due date in the provided source material.
Sources
- NVD, CVE-2026-58172: https://nvd.nist.gov/vuln/detail/CVE-2026-58172
- VulnCheck Advisory; Ocelot IP allow/block list bypass for WebSocket upgrade requests: https://www.vulncheck.com/advisories/ocelot-ip-allow-block-list-bypass-for-websocket-upgrade-requests
- Ocelot fix commit f156fd4: https://github.com/ThreeMammals/Ocelot/commit/f156fd4017ca25025fffdad8ec56c1d657dfb402
- Ocelot Issue #2403: https://github.com/ThreeMammals/Ocelot/issues/2403
- Ocelot Pull Request #2406: https://github.com/ThreeMammals/Ocelot/pull/2406