CVE-2026-33487
Loop Variable Capture Bug in goxmlsig XML Signature Validation
Publication date: 2026-03-26
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| goxmldsig_project | goxmldsig | to 1.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-682 | The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management. |
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33487 is a high-severity vulnerability in the Go package goxmldsig (versions up to v1.5.0) caused by a loop variable capture issue in the validateSignature function. The function iterates over references in the SignedInfo block to find one matching a signed element's ID, but incorrectly takes the address of the loop variable instead of the actual slice element. Because of how Go versions before 1.22 handle loop variables, the pointer always ends up referencing the last element in the slice regardless of which element matched.
This flaw allows an attacker to bypass signature verification by substituting one signed element's content with another's within the same signature, effectively enabling unauthorized modifications to signed XML elements without detection.
The issue was fixed in goxmldsig version 1.6.0 by changing the code to reference slice elements directly using their index instead of capturing the loop variable's address.
How can this vulnerability impact me? :
This vulnerability impacts the integrity of XML digital signatures by allowing attackers to modify signed XML elements without detection. An attacker can exploit this remotely without any privileges or user interaction.
As a result, systems relying on goxmldsig for XML signature verification may accept tampered documents as valid, potentially leading to unauthorized actions, data manipulation, or bypassing security controls that depend on signature validation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability impacts the integrity of XML Digital Signatures by allowing unauthorized modification of signed XML elements without detection.
Since it enables attackers to bypass signature verification and alter signed data, it undermines the trustworthiness and authenticity of digitally signed documents.
Such a failure in ensuring data integrity and authenticity can lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and authenticity to safeguard personal and sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from a loop variable capture issue in the `validateSignature` function of the `goxmldsig` package versions β€ v1.5.0. Detection involves identifying if your system or application is using a vulnerable version of the `goxmldsig` package (version 1.5.0 or earlier) or an older Go version prior to 1.22 that could trigger this issue.
To detect the vulnerability on your system, you can check the version of the `goxmldsig` package used in your Go modules by running:
- go list -m all | grep goxmldsig
If the version is 1.5.0 or earlier, your system is vulnerable.
Additionally, verify your Go version with:
- go version
If your Go version is earlier than 1.22, the vulnerability may be present if using older `goxmldsig` versions.
For network detection, monitoring XML Digital Signature verification failures or anomalies in signed XML documents could indicate exploitation attempts, but no specific network commands or signatures are provided.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update the `goxmldsig` package to version 1.6.0 or later, where the vulnerability has been patched.
If updating immediately is not possible, consider reviewing your code to ensure the loop variable capture issue is fixed by avoiding taking the address of the loop variable directly. Instead, use the index to reference slice elements, as shown in the corrected code snippet:
- for i := range signedInfo.References { if signedInfo.References[i].URI == "" || signedInfo.References[i].URI[1:] == idAttr { ref = &signedInfo.References[i] break } }
Also, ensure your Go version is 1.22 or later to avoid the loop variable capture behavior that causes this issue.
Finally, monitor your systems for any suspicious activity related to XML signature verification and restrict network access to services using vulnerable versions until patched.