CVE-2026-40070
Signature Verification Bypass in BSV Ruby SDK WalletClient
Publication date: 2026-04-09
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sgbett | bsv-wallet | From 0.1.2 (inc) to 0.3.4 (exc) |
| sgbett | bsv_ruby_sdk | From 0.3.1 (inc) to 0.8.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in CVE-2026-40070 allows attackers to forge identity certificates by bypassing signature verification in the BSV Ruby SDK. This undermines the authenticity and integrity of digital identity certificates used on the Bitcoin SV blockchain.
Since identity certificates are critical for verifying user identities and controlling access to sensitive data, this flaw can lead to unauthorized access or impersonation, which may violate data protection and privacy regulations such as GDPR and HIPAA.
Specifically, the ability to forge certificates without proper verification compromises the trustworthiness of identity assertions, potentially leading to breaches of confidentiality, improper data handling, and failure to ensure data subject rights, all of which are key compliance requirements.
Therefore, until patched, systems relying on the affected versions of the BSV Ruby SDK may be non-compliant with standards that mandate strong identity verification and data protection controls.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade the affected Ruby gems to the patched versions:
- Upgrade `bsv-sdk` to version 0.8.2 or later.
- Upgrade `bsv-wallet` to version 0.3.4 or later.
These versions include fixes that enforce signature verification on certificates before persisting them, closing the vulnerability that allowed forged certificates.
Additionally, ensure that your deployment uses the paired versions of these gems together to avoid dependency mismatches that could omit critical fixes.
Review your usage of the `acquire_certificate` method to confirm that it is not accepting unverified certificates from untrusted sources.
Can you explain this vulnerability to me?
CVE-2026-40070 is a critical security vulnerability in the BSV Ruby SDK, specifically in the method BSV::Wallet::WalletClient#acquire_certificate. This method stores identity certificate records without verifying the certifier's cryptographic signature over the certificate contents. There are two acquisition paths affected: in the 'direct' path, the caller supplies all certificate fields including the signature, which are stored verbatim without verification; in the 'issuance' path, the client posts to a certifier URL and stores the returned signature without verifying it.
Because of this lack of signature verification, an attacker who can access either API or control a certifier endpoint can forge identity certificates that appear authentic to downstream methods like list_certificates and prove_certificate. This effectively allows credential forgery, as forged certificates are trusted as valid.
The vulnerability violates the BRC-52 specification, which requires verifying a certificate's signature over a canonical hash of its fields using the certifier's public key. The Ruby SDK failed to implement this verification, unlike the reference TypeScript SDK.
How can this vulnerability impact me? :
This vulnerability allows attackers to forge identity certificates that downstream systems will accept as authentic. This means an attacker can impersonate other identities or create fraudulent credentials within systems relying on the BSV Ruby SDK for certificate verification.
Such forged certificates can be used to bypass authentication, gain unauthorized access, or prove false identities, potentially compromising the security and trustworthiness of applications using these certificates.
The CVSS v3.1 base score of 8.1 (High severity) reflects the significant confidentiality and integrity impacts, as the vulnerability allows credential forgery without user interaction and requires only low privileges.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the BSV Ruby SDK persisting certificate records without verifying the certifier's signature, allowing forged certificates to appear authentic. Detection involves identifying unverified or forged certificates stored or used by the SDK.
Since the vulnerability is in the Ruby SDK's handling of certificates, detection on your system can include auditing stored certificates for signature verification failures or anomalies.
There are no explicit commands provided in the available resources to detect this vulnerability directly on your network or system.