CVE-2026-9058
Szafir SDK Signature Verification Bypass via Unverified Certificate
Publication date: 2026-05-25
Last updated on: 2026-05-25
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| szafir | szafir_sdk | 463 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-637 | The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used. |
| CWE-393 | A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Szafir SDK causes it to return a success status code from the digital signature verification process even when the trust status of the signer's certificate cannot be established.
Specifically, the SDK indicates a signature is "Positively verified" (code == 0) despite the certificate type being "nondetermined", meaning the certificate chain is unverified.
As a result, applications using this SDK may incorrectly treat signatures as valid, enabling attackers to bypass authentication and impersonate users.
How can this vulnerability impact me? :
This vulnerability can lead to authentication bypass, allowing attackers to impersonate legitimate users.
Because the SDK incorrectly validates digital signatures with unverified certificates, malicious actors could gain unauthorized access to systems or data.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Szafir SDK version 463. Immediate mitigation should include upgrading to version 463 or later to ensure the cryptographic digital signature verification process correctly validates the trust status of the signer's certificate.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes the Szafir SDK to incorrectly indicate that a digital signature verification was successful even when the signer's certificate trust status is undetermined. As a result, consuming applications may treat unverified signatures as valid, enabling authentication bypass and user impersonation.
Such authentication bypass and user impersonation risks can lead to violations of security requirements in common standards and regulations like GDPR and HIPAA, which mandate strong authentication and data integrity controls to protect personal and sensitive information.
Therefore, this vulnerability could negatively impact compliance by undermining the trustworthiness of digital signatures used for authentication and data validation.