Skip to main content

Steeltoe CVE-2026-50202

| EUVDEUVD-2026-37817 MEDIUM
Exposure of Resource to Wrong Sphere (CWE-668)
2026-06-17 GitHub_M GHSA-7fqc-p256-7pwj
5.9
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
6.8 MEDIUM

Multi-scheme deployment plus kid collision required (AC:H); attacker needs only a valid token from one co-configured IdP (PR:L, not PR:H); no availability impact applies.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jul 02, 2026 - 22:02 EUVD
Source Code Evidence Fetched
Jun 17, 2026 - 23:04 vuln.today
Analysis Generated
Jun 17, 2026 - 23:04 vuln.today

DescriptionCVE.org

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Security.Authentication.CloudFoundryBase prior to version 3.4.0, Steeltoe.Security.Authentication.JwtBearer prior to version 4.2.0, and Steeltoe.Security.Authentication.OpenIdConnect prior to version 4.2.0, the JWT signing key cache in TokenKeyResolver uses kid as the sole cache key without namespacing by authority. In applications with multiple JwtBearer schemes pointing to different identity providers, a key fetched for one scheme can satisfy token validation for another. Additionally, cached keys have no expiration, so rotated or revoked keys remain trusted until the application process restarts. Steeltoe.Security.Authentication.CloudFoundryBase version 3.4.0, Steeltoe.Security.Authentication.JwtBearer version 4.2.0, and Steeltoe.Security.Authentication.OpenIdConnect version 4.2.0 patch the issue. If an immediate upgrade is not possible: In multi-scheme deployments, configure only one JwtBearer scheme per application when different identity providers are required; and/or restart the application process after an identity provider signing key rotation to clear stale cached keys.

AnalysisAI

Cross-authority JWT signing key confusion in Steeltoe authentication libraries allows tokens issued by one identity provider to be accepted by application schemes configured for a different authority. Affected are CloudFoundryBase prior to 3.4.0, JwtBearer prior to 4.2.0, and OpenIdConnect prior to 4.2.0 when deployed in multi-scheme configurations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify multi-scheme Steeltoe deployment with distinct IdPs
Delivery
Discover matching kid across two IdP JWKS endpoints
Exploit
Obtain valid JWT from IdP-A bearing the shared kid
Execution
Submit token to application endpoint protected by IdP-B scheme
Persist
Cache collision causes TokenKeyResolver to return IdP-A key for IdP-B validation
Impact
Unauthorized access granted to IdP-B-protected resources

Vulnerability AssessmentAI

Exploitation Exploitation of the cross-authority confusion vector requires all of the following: (1) the application must register two or more `JwtBearer` authentication schemes each pointing to distinct identity provider authority URLs; (2) both identity providers must publish signing keys that share the same `kid` string value - either by coincidence or by attacker influence over one IdP's key naming convention; (3) the attacker must possess a valid JWT bearing that `kid`, issued by the IdP whose key is resolved and cached first. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N) scores 5.9, reflecting network exploitability against high-complexity, high-privilege conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds a valid JWT from identity provider A - or who can influence IdP A's key naming - submits that token to an application endpoint whose `JwtBearer` scheme is configured for identity provider B. If both IdPs publish a signing key sharing the same `kid` string, the Steeltoe `TokenKeyResolver` returns the cached key fetched for IdP A in response to the validation lookup for scheme B, causing the ASP.NET Core middleware to accept the foreign token as valid for IdP B's audience. …
Remediation Upgrade to the patched releases: Steeltoe.Security.Authentication.CloudFoundryBase 3.4.0, Steeltoe.Security.Authentication.JwtBearer 4.2.0, and Steeltoe.Security.Authentication.OpenIdConnect 4.2.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50202 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy