CVE-2026-40070
Received Received - Intake
Signature Verification Bypass in BSV Ruby SDK WalletClient

Publication date: 2026-04-09

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40070
EUVD
EUVD-2026-20996
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sgbett bsv-wallet From 0.1.2 (inc) to 0.3.4 (exc)
sgbett bsv_ruby_sdk From 0.3.1 (inc) to 0.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in CVE-2026-40070 allows attackers to forge identity certificates by bypassing signature verification in the BSV Ruby SDK. This undermines the authenticity and integrity of digital identity certificates used on the Bitcoin SV blockchain.

Since identity certificates are critical for verifying user identities and controlling access to sensitive data, this flaw can lead to unauthorized access or impersonation, which may violate data protection and privacy regulations such as GDPR and HIPAA.

Specifically, the ability to forge certificates without proper verification compromises the trustworthiness of identity assertions, potentially leading to breaches of confidentiality, improper data handling, and failure to ensure data subject rights, all of which are key compliance requirements.

Therefore, until patched, systems relying on the affected versions of the BSV Ruby SDK may be non-compliant with standards that mandate strong identity verification and data protection controls.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade the affected Ruby gems to the patched versions:

  • Upgrade `bsv-sdk` to version 0.8.2 or later.
  • Upgrade `bsv-wallet` to version 0.3.4 or later.

These versions include fixes that enforce signature verification on certificates before persisting them, closing the vulnerability that allowed forged certificates.

Additionally, ensure that your deployment uses the paired versions of these gems together to avoid dependency mismatches that could omit critical fixes.

Review your usage of the `acquire_certificate` method to confirm that it is not accepting unverified certificates from untrusted sources.

Executive Summary

CVE-2026-40070 is a critical security vulnerability in the BSV Ruby SDK, specifically in the method BSV::Wallet::WalletClient#acquire_certificate. This method stores identity certificate records without verifying the certifier's cryptographic signature over the certificate contents. There are two acquisition paths affected: in the 'direct' path, the caller supplies all certificate fields including the signature, which are stored verbatim without verification; in the 'issuance' path, the client posts to a certifier URL and stores the returned signature without verifying it.

Because of this lack of signature verification, an attacker who can access either API or control a certifier endpoint can forge identity certificates that appear authentic to downstream methods like list_certificates and prove_certificate. This effectively allows credential forgery, as forged certificates are trusted as valid.

The vulnerability violates the BRC-52 specification, which requires verifying a certificate's signature over a canonical hash of its fields using the certifier's public key. The Ruby SDK failed to implement this verification, unlike the reference TypeScript SDK.

Impact Analysis

This vulnerability allows attackers to forge identity certificates that downstream systems will accept as authentic. This means an attacker can impersonate other identities or create fraudulent credentials within systems relying on the BSV Ruby SDK for certificate verification.

Such forged certificates can be used to bypass authentication, gain unauthorized access, or prove false identities, potentially compromising the security and trustworthiness of applications using these certificates.

The CVSS v3.1 base score of 8.1 (High severity) reflects the significant confidentiality and integrity impacts, as the vulnerability allows credential forgery without user interaction and requires only low privileges.

Detection Guidance

This vulnerability involves the BSV Ruby SDK persisting certificate records without verifying the certifier's signature, allowing forged certificates to appear authentic. Detection involves identifying unverified or forged certificates stored or used by the SDK.

Since the vulnerability is in the Ruby SDK's handling of certificates, detection on your system can include auditing stored certificates for signature verification failures or anomalies.

There are no explicit commands provided in the available resources to detect this vulnerability directly on your network or system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40070. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart