External risk intelligence

Ocelot IP Restriction Bypass via WebSocket Upgrade

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-58172

Ocelot is an API gateway designed to act as an entry point for services, typically deployed at the network edge to manage, route, and secure traffic. Because it is explicitly intended to handle incoming requests and sit between the public internet and backend services, it is highly likely to be internet-facing in standard production deployments.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security control bypass vulnerability has been identified in Ocelot, an API gateway, allowing unauthenticated clients to circumvent IP-based access restrictions. This occurs when WebSocket upgrade requests are processed in a way that omits security middleware, enabling requests from blocked IP addresses to reach downstream services without proper enforcement of access policies.

  • Unauthenticated clients can bypass IP access rules.
  • It affects how API gateways control network access.
  • Confirm if Ocelot is used and verify its network exposure.

Attack Path

How an attacker could exploit the issue

An attacker could bypass IP-based access restrictions by sending a specially crafted WebSocket upgrade request. This request would exploit a flaw in how Ocelot processes these upgrades, causing the security middleware to be skipped. As a result, requests from blocked IP addresses might be forwarded to internal services without proper checks, potentially exposing them to unauthorized access.

  • No authentication or special access needed.
  • Triggered by a WebSocket upgrade request.
  • Allows bypass of IP restrictions.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow unauthorized clients to bypass IP-based access restrictions when connecting to downstream services through Ocelot. When Ocelot's WebSocket upgrade pipeline is improperly configured, requests from blocked IP addresses may be forwarded without enforcement of allow or block lists, potentially exposing services that should be protected.

  • Sensitive service requests could be exposed.
  • Blocked IP addresses may access services.
  • Unauthorized access to backend services.

Operational Fix

Recommended remediation, mitigation, and detection steps

The security control bypass in Ocelot affects how WebSocket upgrade requests are handled, potentially allowing denied clients to circumvent IP-based access restrictions. The team responsible for the API gateway, likely an infrastructure or platform team, should first identify all Ocelot instances, determine their exposure, and assess business criticality. Planning for remediation should then consider vendor coordination and maintenance windows to minimize operational impact.

  • API Gateway team owns the issue.
  • Verify Ocelot instances and network exposure.
  • Plan and coordinate remediation actions.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Ocelot and how is it used?

Ocelot is an open-source API gateway framework for .NET. It functions as an entry point for microservices, sitting between clients and backend systems to manage, route, and secure traffic. Developers use it to centralize cross-cutting concerns like authentication, routing, and access control policies for distributed service architectures.

What does CWE-288 mean for CVE-2026-58172?

CWE-288 represents an Authentication Bypass Using an Alternate Path or Channel. In this CVE, the vulnerability allows traffic to skip security checks because the code path handling WebSocket upgrades inadvertently ignores the middleware responsible for enforcing IP-based access lists. Essentially, the software takes a shortcut that bypasses the security controls meant to block unauthorized clients.

How can an attacker trigger this bypass?

An attacker triggers the vulnerability by sending a specific WebSocket upgrade request to the gateway. The issue is specific to this upgrade pipeline; standard HTTP requests that do not initiate a WebSocket upgrade are not affected and remain subject to the configured IP restrictions. The flaw exists because the gateway logic incorrectly routes these upgrade requests around the security middleware.

Who should be concerned about this vulnerability?

If you use Ocelot to protect internal services, you should be concerned. According to Halo Surface Signal, Ocelot is designed to act as an edge entry point, meaning it is typically deployed where it faces the public internet. If your instance is internet-facing, attackers can leverage this path to reach downstream services that were intended to be protected by IP allow or block lists.

How should I respond to this threat?

First, identify all instances of Ocelot within your infrastructure to assess their exposure level. Once identified, evaluate if those gateways handle WebSocket traffic. If they do, coordinate with your platform or infrastructure team to plan an update. Review the vendor's guidance for the specific fix in commit f156fd4 to determine the appropriate maintenance window for applying the security patch.

References