CVE-2026-50268
Received Received - Intake
Incorrect RSA Encryption Configuration in Steeltoe Configuration Encryption

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: GitHub, Inc.

Description
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring `encrypt:rsa:algorithm=OAEP` does not enable OAEP encryption. Due to an incorrect BouncyCastle transformation string, the `OAEP` setting selects PKCS#1 v1.5, which is the same algorithm as the `DEFAULT` setting. Steeltoe.Configuration.Encryption version 4.2.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-18
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-50268
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
steeltoe configuration_encryption From 4.0.0 (inc) to 4.1.0 (inc)
steeltoe configuration_encryption 4.2.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
CWE-256 The product stores a password in plaintext within resources such as memory or files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Steeltoe.Configuration.Encryption versions 4.0.0 through 4.1.0. When users configure the encryption algorithm to use RSA with OAEP padding by setting `encrypt:rsa:algorithm=OAEP`, the configuration does not actually enable OAEP encryption. Instead, due to an incorrect transformation string in the BouncyCastle library, the OAEP setting defaults to using the PKCS#1 v1.5 padding algorithm, which is the same as the default setting. This means that the intended stronger OAEP encryption is not applied.

The issue was fixed in version 4.2.0 of Steeltoe.Configuration.Encryption.

Impact Analysis

Because the OAEP encryption setting does not actually enable OAEP but instead uses the older PKCS#1 v1.5 padding, users who believe they are using a stronger encryption method may be misled. This can result in weaker encryption than expected, potentially exposing encrypted data to higher risks of cryptographic attacks that OAEP is designed to mitigate.

However, the CVSS base score is low (1.9), indicating that the vulnerability has limited impact, requiring local access with high complexity and privileges, and only results in low confidentiality impact without affecting integrity or availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade Steeltoe.Configuration.Encryption to version 4.2.0 or later, where the issue with the incorrect BouncyCastle transformation string and OAEP encryption setting is fixed.

Compliance Impact

The vulnerability in Steeltoe.Configuration.Encryption versions 4.0.0 through 4.1.0 causes the OAEP encryption setting to incorrectly use the less secure PKCS#1 v1.5 algorithm instead of OAEP. This could potentially weaken the encryption strength used in applications relying on this library.

However, the CVE description and available information do not explicitly state any direct impact on compliance with common standards and regulations such as GDPR or HIPAA.

Given the low CVSS score (1.9) and the nature of the issue being a misconfiguration of encryption algorithm rather than a direct data breach or exposure, the compliance impact is not clearly defined in the provided data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50268. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart