CVE-2026-50202 SteeltoeOSS CVE debrief

Who should care

Developers and administrators using Steeltoe for building cloud-native applications, especially those with multiple JwtBearer schemes pointing to different identity providers, should be aware of this vulnerability. Security teams responsible for monitoring and patching applications using Steeltoe should prioritize patching or mitigating this issue

Technical summary

The JWT signing key cache in `TokenKeyResolver` uses `kid` as the sole cache key without namespacing by authority. This causes issues in applications with multiple `JwtBearer` schemes pointing to different identity providers, as a key fetched for one scheme can satisfy token validation for another. Additionally, cached keys have no expiration, meaning rotated or revoked keys remain trusted until the application process restarts. The affected components are Steeltoe.Security.Authentication.CloudFoundryBase prior to version 3.4.0, Steeltoe.Security.Authentication.JwtBearer prior to version 4.2.0, and Steeltoe.Security.Authentication.OpenIdConnect prior to version 4.2.0

Defensive priority

Medium

Recommended defensive actions

• Upgrade to Steeltoe.Security.Authentication.CloudFoundryBase version 3.4.0 or later
• Upgrade to Steeltoe.Security.Authentication.JwtBearer version 4.2.0 or later
• Upgrade to Steeltoe.Security.Authentication.OpenIdConnect version 4.2.0 or later
• Configure only one JwtBearer scheme per application when different identity providers are required
• Restart the application process after an identity provider signing key rotation to clear stale cached keys

Evidence notes

The information provided is based on the CVE record and NVD details. The vulnerability was published on 2026-06-17 and modified on 2026-06-18. References include commits and security advisories from the SteeltoeOSS GitHub repository

Official resources