CVE-2026-58172 CRITICAL

CVE-2026-58172: Ocelot - IP Allow/Block List Bypass for WebSocket Upgrade Requests

Vendor Threemammals
Product Ocelot
Weakness CWE-288
Published June 30, 2026
Last update July 1, 2026

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Ocelot through 24.1.0, fixed in commit f156fd4, contains a security control bypass vulnerability that allows denied clients to circumvent IP-based access restrictions by sending WebSocket upgrade requests. The WebSocket upgrade pipeline branch configured via MapWhen in OcelotPipelineExtensions.cs omits SecurityMiddleware, causing requests from blocked IP addresses to be proxied to downstream services without enforcement of the configured allow/block list.

Key dates

02Disclosure timeline

June 30, 2026 CVE published
July 1, 2026 Record updated