JSON Web Token Signing Key Cache Issue in Steeltoe's Authentication Libraries
CVE-2026-50202

5.9MEDIUM

Key Information:

Vendor

Steeltoeoss

Status
Steeltoe.security.authentication.cloudfoundrybase
Steeltoe.security.authentication.jwtbearer
Steeltoe.security.authentication.openidconnect
Vendor
CVE Published:
17 June 2026

What is CVE-2026-50202?

The Steeltoe authentication libraries exhibit an issue where the JWT signing key cache utilizes the 'kid' as the only cache key, which poses a risk in multi-scheme deployments with varied identity providers. This flaw can lead to token validation failures as keys from one scheme may improperly validate tokens from another scheme. Furthermore, cached keys do not expire, meaning that revoked or rotated keys can still be accepted until the application is restarted. To mitigate these risks, it is advisable to update to the patched versions or limit the deployment configuration to a single 'JwtBearer' scheme when multiple providers are in use.

Affected Version(s)

Steeltoe.Security.Authentication.CloudFoundryBase < 3.4.0

Steeltoe.Security.Authentication.JwtBearer < 4.2.0

Steeltoe.Security.Authentication.OpenIdConnect < 4.2.0

References

https://github.com/SteeltoeOSS/security-advisories/securi...
x_refsource_CONFIRM
https://github.com/SteeltoeOSS/Steeltoe/commit/04db2ace3b...
x_refsource_MISC
https://github.com/SteeltoeOSS/Steeltoe/commit/17b27b8be5...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.