CVE Catalog

CVE-2026-9058

Critical
Published: Translated: NVD NIST

Summary

Szafir SDK returns a success status code from the cryptographic digital signature verification process even when the trust status of the signer's certificate could not be established. This causes consuming applications to incorrectly treat the signature as valid, enabling authentication bypass and user impersonation.

Risk Assessment

Organizations may be exposed to unauthorized access and fraud attacks, as applications may accept unverified signatures as valid.

Recommendation

It is recommended to update to version 463 or newer to fix this vulnerability and ensure proper certificate verification.

Original NVD description (English source)

Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation. This issue was fixed in version 463.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS