CVE-2026-50268
LowCVSS 1.9Exploitation Probability (EPSS)
Low risk0th percentile — higher than 0% of all known CVEs
Summary
In versions 4.0.0 to 4.1.0 of the Steeltoe.Configuration.Encryption library, configuring `encrypt:rsa:algorithm=OAEP` does not enable OAEP encryption due to an incorrect BouncyCastle transformation string. The `OAEP` setting selects the PKCS#1 v1.5 algorithm, which is equivalent to the `DEFAULT` setting.
Risk Assessment
Organizations may be exposed to attacks that exploit weaknesses in the PKCS#1 v1.5 algorithm, potentially leading to unauthorized access to data.
Recommendation
It is recommended to upgrade to version 4.2.0 of the Steeltoe.Configuration.Encryption library to address this vulnerability.
Original NVD description (English source)
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring `encrypt:rsa:algorithm=OAEP` does not enable OAEP encryption. Due to an incorrect BouncyCastle transformation string, the `OAEP` setting selects PKCS#1 v1.5, which is the same algorithm as the `DEFAULT` setting. Steeltoe.Configuration.Encryption version 4.2.0 patches the issue.

