CVE-2026-50268
LOWSteeltoe: OAEP setting silently selects PKCS#1 v1.5 padding
Title source: cnaDescription
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring `encrypt:rsa:algorithm=OAEP` does not enable OAEP encryption. Due to an incorrect BouncyCastle transformation string, the `OAEP` setting selects PKCS#1 v1.5, which is the same algorithm as the `DEFAULT` setting. Steeltoe.Configuration.Encryption version 4.2.0 patches the issue.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-4j9m-h44m-2hv8
X_Refsource_Misc x_refsource_misc
https://github.com/SteeltoeOSS/Steeltoe/commit/6cfee5cccddf8f9a31de69b0ca5ccdd771b73e5b
Scores
CVSS v3
1.9
EPSS
0.0005
EPSS Percentile
0.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-256
CWE-327
Status
published
Products (1)
SteeltoeOSS/Steeltoe.Configuration.Encryption
>= 4.0.0, < 4.2.0
Published
Jun 17, 2026
Tracked Since
Jun 18, 2026