Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Management.Endpoint prior to version 4.2.0 and Steeltoe.Management.EndpointCore prior to version 3.4.0, the "Sanitizer" component in the Environment actuator redacts configuration values by matching the configuration key name against a suffix list. The default list ("password", "secret", "key", "token", ".*credentials.*", "vcap_services") does not cover the standard .NET pattern "ConnectionStrings:<name>" or Steeltoe Connectors' "Steeltoe:Client:<type>:Default:ConnectionString". There is no value-based scrubbing, so full connection string values including embedded "Password=" and "user:pass@host" segments are returned verbatim in "/actuator/env" responses. Steeltoe.Management.Endpoint 4.2.0 and Steeltoe.Management.EndpointCore 3.4.0 patch the issue. If an immediate upgrade is not possible: On the standard path, remove "env" from the actuator exposure list; add ".*connectionstring.*" to "KeysToSanitize" as a defense-in-depth measure for both paths; and/or require authorization on actuator endpoints.