CVE-2026-50268

Summary

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring encrypt:rsa:algorithm=OAEP does not enable OAEP encryption. Due to an incorrect BouncyCastle transformation string, the OAEP setting selects PKCS#1 v1.5, which is the same algorithm as the DEFAULT setting. Steeltoe.Configuration.Encryption version 4.2.0 patches the issue.

Affected Software

VendorProductVersion RangeStatus
SteeltoeOSSSteeltoe.Configuration.Encryption>= 4.0.0, < 4.2.0affected

Weaknesses

  • CWE-256: CWE-256: Plaintext Storage of a Password
  • CWE-327: CWE-327: Use of a Broken or Risky Cryptographic Algorithm

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References