Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Multi-scheme deployment plus kid collision required (AC:H); attacker needs only a valid token from one co-configured IdP (PR:L, not PR:H); no availability impact applies.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionCVE.org
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Security.Authentication.CloudFoundryBase prior to version 3.4.0, Steeltoe.Security.Authentication.JwtBearer prior to version 4.2.0, and Steeltoe.Security.Authentication.OpenIdConnect prior to version 4.2.0, the JWT signing key cache in TokenKeyResolver uses kid as the sole cache key without namespacing by authority. In applications with multiple JwtBearer schemes pointing to different identity providers, a key fetched for one scheme can satisfy token validation for another. Additionally, cached keys have no expiration, so rotated or revoked keys remain trusted until the application process restarts. Steeltoe.Security.Authentication.CloudFoundryBase version 3.4.0, Steeltoe.Security.Authentication.JwtBearer version 4.2.0, and Steeltoe.Security.Authentication.OpenIdConnect version 4.2.0 patch the issue. If an immediate upgrade is not possible: In multi-scheme deployments, configure only one JwtBearer scheme per application when different identity providers are required; and/or restart the application process after an identity provider signing key rotation to clear stale cached keys.
AnalysisAI
Cross-authority JWT signing key confusion in Steeltoe authentication libraries allows tokens issued by one identity provider to be accepted by application schemes configured for a different authority. Affected are CloudFoundryBase prior to 3.4.0, JwtBearer prior to 4.2.0, and OpenIdConnect prior to 4.2.0 when deployed in multi-scheme configurations. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation of the cross-authority confusion vector requires all of the following: (1) the application must register two or more `JwtBearer` authentication schemes each pointing to distinct identity provider authority URLs; (2) both identity providers must publish signing keys that share the same `kid` string value - either by coincidence or by attacker influence over one IdP's key naming convention; (3) the attacker must possess a valid JWT bearing that `kid`, issued by the IdP whose key is resolved and cached first. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N) scores 5.9, reflecting network exploitability against high-complexity, high-privilege conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds a valid JWT from identity provider A - or who can influence IdP A's key naming - submits that token to an application endpoint whose `JwtBearer` scheme is configured for identity provider B. If both IdPs publish a signing key sharing the same `kid` string, the Steeltoe `TokenKeyResolver` returns the cached key fetched for IdP A in response to the validation lookup for scheme B, causing the ASP.NET Core middleware to accept the foreign token as valid for IdP B's audience. … |
| Remediation | Upgrade to the patched releases: Steeltoe.Security.Authentication.CloudFoundryBase 3.4.0, Steeltoe.Security.Authentication.JwtBearer 4.2.0, and Steeltoe.Security.Authentication.OpenIdConnect 4.2.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-668 – Exposure of Resource to Wrong Sphere
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37817
GHSA-7fqc-p256-7pwj