{"id":"CVE-2026-50268","summary":"Steeltoe: OAEP setting silently selects PKCS#1 v1.5 padding","details":"Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring `encrypt:rsa:algorithm=OAEP` does not enable OAEP encryption. Due to an incorrect BouncyCastle transformation string, the `OAEP` setting selects PKCS#1 v1.5, which is the same algorithm as the `DEFAULT` setting. Steeltoe.Configuration.Encryption version 4.2.0 patches the issue.","aliases":["GHSA-4j9m-h44m-2hv8"],"modified":"2026-07-08T08:13:45.445972246Z","published":"2026-06-17T22:01:19.712Z","database_specific":{"cwe_ids":["CWE-256","CWE-327"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50268.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50268.json"},{"type":"ADVISORY","url":"https://github.com/SteeltoeOSS/security-advisories/security/advisories/GHSA-4j9m-h44m-2hv8"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-50268"},{"type":"FIX","url":"https://github.com/SteeltoeOSS/Steeltoe/commit/6cfee5cccddf8f9a31de69b0ca5ccdd771b73e5b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/steeltoeoss/steeltoe","events":[{"introduced":"c4d303abd0d8a53b62516c0281643e00c1a69f0e"},{"fixed":"2d4338d0fc3990a8df90968187d9567004d3fbe7"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"4.0.0"},{"fixed":"4.2.0"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50268.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N"}]}