Description
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring `encrypt:rsa:algorithm=OAEP` does not enable OAEP encryption. Due to an incorrect BouncyCastle transformation string, the `OAEP` setting selects PKCS#1 v1.5, which is the same algorithm as the `DEFAULT` setting. Steeltoe.Configuration.Encryption version 4.2.0 patches the issue.
Published: 2026-06-17
Score: 1.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an incorrect BouncyCastle transformation string within Steeltoe.Configuration.Encryption versions 4.0.0 through 4.1.0. When a configuration sets encrypt:rsa:algorithm=OAEP, the library mistakenly uses PKCS#1 v1.5 padding—the same as the DEFAULT setting. This means data intended to be protected with the more secure OAEP scheme is instead encrypted with a weaker algorithm, exposing it to cryptanalytic attacks. The weakness is related to incorrect encryption handling (CWE‑256) and the use of an insecure cryptographic algorithm (CWE‑327).

Affected Systems

Affected products include Steeltoe.Configuration.Encryption 4.0.0 to 4.1.0 used in cloud‑native applications built with the Steeltoe OSS libraries. Any system that imports the vulnerable library and relies on RSA encryption for secrets, configuration payloads, or data protection is potentially impacted. The vulnerability is patched in Steeltoe.Configuration.Encryption 4.2.0.

Risk and Exploitability

The CVSS score of 1.9 and an EPSS score below 1 % indicate a low overall risk to most environments, and the vulnerability is not listed in CISA KEV. Nevertheless, because the flaw weakens cryptographic guarantees, attackers who can capture encrypted data may recover the plaintext. The misconfiguration is local to the application layer; no network‑level exploit is required, but the impact is a loss of confidentiality for the data encrypted by the affected library.

Generated by OpenCVE AI on June 18, 2026 at 19:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Steeltoe.Configuration.Encryption to 4.2.0 or later
  • Verify that encrypt:rsa:algorithm is explicitly set to OAEP and that the BouncyCastle transformation string is correct after the update
  • Audit existing encrypted secrets and re‑encrypt any that were produced with the incorrect padding using the updated library

Generated by OpenCVE AI on June 18, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring `encrypt:rsa:algorithm=OAEP` does not enable OAEP encryption. Due to an incorrect BouncyCastle transformation string, the `OAEP` setting selects PKCS#1 v1.5, which is the same algorithm as the `DEFAULT` setting. Steeltoe.Configuration.Encryption version 4.2.0 patches the issue.
Title Steeltoe: OAEP setting silently selects PKCS#1 v1.5 padding
Weaknesses CWE-256
CWE-327
References
Metrics cvssV3_1

{'score': 1.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-18T13:53:58.470Z

Reserved: 2026-06-04T16:26:05.984Z

Link: CVE-2026-50268

cve-icon Vulnrichment

Updated: 2026-06-18T13:46:44.816Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:00:15Z

Weaknesses
  • CWE-256

    Plaintext Storage of a Password

  • CWE-327

    Use of a Broken or Risky Cryptographic Algorithm