CVE-2026-26275
BaseFortify
Publication date: 2026-02-19
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| junkurihara | httpsig-hyper | to 0.0.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-697 | The product compares two entities in a security-relevant context, but the comparison is incorrect. |
| CWE-354 | The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the httpsig-hyper library prior to version 0.0.23, where the Digest header verification could incorrectly succeed due to misuse of Rust's matches! macro.
Specifically, the comparison if matches!(digest, _expected_digest) treated _expected_digest as a pattern binding rather than a value comparison, causing the match expression to always succeed unconditionally.
As a result, digest verification could incorrectly return success even when the computed digest did not match the expected value, potentially allowing message body modifications to go undetected.
This issue affects applications relying on Digest verification as part of HTTP message signature validation.
The problem was fixed in version 0.0.23 by replacing the incorrect matches! usage with proper value comparison and adding constant-time comparison for digest verification.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to modify the HTTP message body without detection because the Digest header verification may incorrectly succeed.
If your application relies solely on Digest verification for message integrity, it may fail to detect tampering or unauthorized changes to the message content.
The severity of the impact depends on how the httpsig-hyper library is integrated and whether additional signature validation layers are enforced.
Without proper verification, this could lead to integrity issues in communications, potentially allowing malicious data to be accepted as valid.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade httpsig-hyper to version 0.0.23 or later, where the issue has been fixed.
If immediate upgrading is not possible, avoid relying solely on Digest header verification for message integrity.
Ensure that full HTTP message signature verification is enforced at the application layer to compensate for the vulnerability.