Executive Summary

CVE-2026-33487 is a high-severity vulnerability in the Go package goxmldsig (versions up to v1.5.0) caused by a loop variable capture issue in the validateSignature function. The function iterates over references in the SignedInfo block to find one matching a signed element's ID, but incorrectly takes the address of the loop variable instead of the actual slice element. Because of how Go versions before 1.22 handle loop variables, the pointer always ends up referencing the last element in the slice regardless of which element matched.

This flaw allows an attacker to bypass signature verification by substituting one signed element's content with another's within the same signature, effectively enabling unauthorized modifications to signed XML elements without detection.

The issue was fixed in goxmldsig version 1.6.0 by changing the code to reference slice elements directly using their index instead of capturing the loop variable's address.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability impacts the integrity of XML digital signatures by allowing attackers to modify signed XML elements without detection. An attacker can exploit this remotely without any privileges or user interaction.

As a result, systems relying on goxmldsig for XML signature verification may accept tampered documents as valid, potentially leading to unauthorized actions, data manipulation, or bypassing security controls that depend on signature validation.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises from a loop variable capture issue in the `validateSignature` function of the `goxmldsig` package versions ≤ v1.5.0. Detection involves identifying if your system or application is using a vulnerable version of the `goxmldsig` package (version 1.5.0 or earlier) or an older Go version prior to 1.22 that could trigger this issue.

To detect the vulnerability on your system, you can check the version of the `goxmldsig` package used in your Go modules by running:

• go list -m all | grep goxmldsig

If the version is 1.5.0 or earlier, your system is vulnerable.

Additionally, verify your Go version with:

• go version

If your Go version is earlier than 1.22, the vulnerability may be present if using older `goxmldsig` versions.

For network detection, monitoring XML Digital Signature verification failures or anomalies in signed XML documents could indicate exploitation attempts, but no specific network commands or signatures are provided.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update the `goxmldsig` package to version 1.6.0 or later, where the vulnerability has been patched.

If updating immediately is not possible, consider reviewing your code to ensure the loop variable capture issue is fixed by avoiding taking the address of the loop variable directly. Instead, use the index to reference slice elements, as shown in the corrected code snippet:

• for i := range signedInfo.References { if signedInfo.References[i].URI == "" || signedInfo.References[i].URI[1:] == idAttr { ref = &signedInfo.References[i] break } }

Also, ensure your Go version is 1.22 or later to avoid the loop variable capture behavior that causes this issue.

Finally, monitor your systems for any suspicious activity related to XML signature verification and restrict network access to services using vulnerable versions until patched.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability impacts the integrity of XML Digital Signatures by allowing unauthorized modification of signed XML elements without detection.

Since it enables attackers to bypass signature verification and alter signed data, it undermines the trustworthiness and authenticity of digitally signed documents.

Such a failure in ensuring data integrity and authenticity can lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and authenticity to safeguard personal and sensitive information.

Useful 0 Not Useful 0