CVE-2026-50267 SteeltoeOSS CVE debrief

Who should care

Users of Steeltoe Configuration Abstractions versions 4.0.0 through 4.1.0, especially those deploying on Linux containers, should be aware of this vulnerability. Developers and administrators responsible for cloud-native applications using Steeltoe should assess the risk and apply the patch or mitigation measures.

Technical summary

In Steeltoe.Configuration.Abstractions 4.0.0 through 4.1.0, when MySQL or PostgreSQL service bindings from `VCAP_SERVICES` include TLS client credentials, the Connectors library writes those credentials to temporary files in `Path.GetTempPath()` using `File.CreateText`. On Linux, `File.CreateText` creates files with mode `0644` (world-readable) under the process umask. The files are never deleted, and the same key material is protected at mode `0400` in `/proc/<pid>/environ`. Steeltoe.Configuration.Abstractions version 4.2.0 patches the issue by properly handling credentials.

Defensive priority

Medium

Recommended defensive actions

• Upgrade to Steeltoe.Configuration.Abstractions version 4.2.0 or later.
• If an immediate upgrade is not possible, prevent other processes from running in the container under a different UID with access to `/tmp`.
• Review and adjust file permissions and umask settings for the application process.
• Monitor temporary file directories for suspicious activity.
• Implement additional logging and auditing for sensitive credential handling.
• Consider using secure storage mechanisms for sensitive credentials.

Evidence notes

The vulnerability is confirmed through analysis of the Steeltoe Configuration Abstractions codebase and verification of the patch in version 4.2.0. The issue is reported by an unknown vendor and confirmed by the Steeltoe OSS community. References include commits and advisories from the SteeltoeOSS GitHub repository.

Official resources