CVE-2026-50268 | Steeltoe is an open source project that provides a collectio… | CVSS 1.9 LOW

Description

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring `encrypt:rsa:algorithm=OAEP` does not enable OAEP encryption. Due to an incorrect BouncyCastle transformation string, the `OAEP` setting selects PKCS#1 v1.5, which is the same algorithm as the `DEFAULT` setting. Steeltoe.Configuration.Encryption version 4.2.0 patches the issue.

Metadata

CVE ID: CVE-2026-50268
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-04 16:26 UTC
Published: 2026-06-17 22:01 UTC
Last updated: 2026-06-17 22:01 UTC
Primary CWE: CWE-256
CWE-256: Plaintext Storage of a Password
Vendor / Product: SteeltoeOSS / Steeltoe.Configuration.Encryption
Sources: cve.org · NVD

Severity & Metrics

1.9 LOW CVSS 3.1

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

Affected products (1)

Vendor	Product	Platform	Versions
SteeltoeOSS	Steeltoe.Configuration.Encryption	—	>= 4.0.0, < 4.2.0

Weakness (CWE)

CWE	Source	Description
CWE-256	cna	CWE-256: Plaintext Storage of a Password
CWE-327	cna	CWE-327: Use of a Broken or Risky Cryptographic Algorithm

CVSS scores (1)

Score	Severity	Version	Source	Vector
1.9	LOW	3.1	cna	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

References (2)

https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-4j9m-h44m-2hv8 https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-4j9m-h44m-2hv8
https://github.com/SteeltoeOSS/Steeltoe/commit/6cfee5cccddf8f9a31de69b0ca5ccdd771b73e5b https://github.com/SteeltoeOSS/Steeltoe/commit/6cfee5cccddf8f9a31de69b0ca5ccdd771b73e5b