CVE-2026-50268 SteeltoeOSS CVE debrief

Who should care

Developers and administrators using Steeltoe.Configuration.Encryption versions 4.0.0 through 4.1.0 should be aware of this vulnerability. Although the CVSS score is low, it is essential to update to version 4.2.0 or later to ensure proper encryption and mitigate potential risks.

Technical summary

The vulnerability in Steeltoe.Configuration.Encryption versions 4.0.0 through 4.1.0 is caused by an incorrect BouncyCastle transformation string when configuring `encrypt:rsa:algorithm=OAEP`. This results in the selection of PKCS#1 v1.5 instead of OAEP, which is the same algorithm as the `DEFAULT` setting. The issue was introduced due to an incorrect transformation string. The CVSS vector for this vulnerability is CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N.

Defensive priority

Low

Recommended defensive actions

• Update Steeltoe.Configuration.Encryption to version 4.2.0 or later
• Review and verify encryption configurations for OAEP
• Ensure proper encryption is enabled in Steeltoe applications
• Monitor for potential security risks associated with weak encryption
• Consider implementing additional security measures for sensitive data
• Regularly review and update dependencies to prevent similar vulnerabilities

Evidence notes

The information provided is based on the CVE record and NVD details. The vulnerability was published on June 17, 2026, and modified on June 18, 2026. The CVSS score is 1.9, indicating low severity. References to the vulnerability can be found on GitHub and the NVD website.

Official resources