CVE-2026-50202 affects Steeltoe.Security.Authentication.CloudFoundryBase versions prior to 3.4.0, Steeltoe.Security.Authentication.JwtBearer versions prior to 4.2.0, and Steeltoe.Security.Authentication.OpenIdConnect versions prior to 4.2.0. The vulnerability arises because the JWT signing key cache in TokenKeyResolver uses the 'kid' as the sole cache key without namespacing by authority. In applications with multiple JwtBearer schemes pointing to different identity providers, a key fetched for one scheme can incorrectly validate tokens for another scheme. Furthermore, cached keys lack expiration, causing rotated or revoked keys to remain trusted until the application process restarts. The issue is patched in versions 3.4.0, 4.2.0, and 4.2.0 respectively. Workarounds include limiting to one JwtBearer scheme per application when multiple identity providers are used or restarting the application after key rotation to clear stale cache entries.

The vulnerability can lead to exposure of resources to the wrong authentication sphere, allowing tokens validated by one identity provider to be accepted by another, potentially enabling unauthorized access. The lack of cache expiration means that revoked or rotated keys remain trusted until application restart, prolonging the window of risk. The CVSS score of 5.9 (medium severity) reflects the network attack vector, high privileges required, and high impact on confidentiality and integrity without affecting availability.

A fix is available in Steeltoe.Security.Authentication.CloudFoundryBase version 3.4.0, Steeltoe.Security.Authentication.JwtBearer version 4.2.0, and Steeltoe.Security.Authentication.OpenIdConnect version 4.2.0. Users should upgrade to these versions to remediate the vulnerability. If immediate upgrade is not possible, mitigate by configuring only one JwtBearer scheme per application when multiple identity providers are used, and restart the application process after any identity provider signing key rotation to clear stale cached keys.