CVE-2026-9058
Deferred Deferred - Pending Action
Szafir SDK Signature Verification Bypass via Unverified Certificate

Publication date: 2026-05-25

Last updated on: 2026-05-25

Assigner: CERT.PL

Description
Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation. This issue was fixed in version 463.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-25
Last Modified
2026-05-25
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-9058
EUVD
EUVD-2026-31679
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
szafir szafir_sdk 463
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-637 The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.
CWE-393 A function or operation returns an incorrect return value or status code that does not indicate the true result of execution, causing the product to modify its behavior based on the incorrect result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Szafir SDK causes it to return a success status code from the digital signature verification process even when the trust status of the signer's certificate cannot be established.

Specifically, the SDK indicates a signature is "Positively verified" (code == 0) despite the certificate type being "nondetermined", meaning the certificate chain is unverified.

As a result, applications using this SDK may incorrectly treat signatures as valid, enabling attackers to bypass authentication and impersonate users.

Impact Analysis

This vulnerability can lead to authentication bypass, allowing attackers to impersonate legitimate users.

Because the SDK incorrectly validates digital signatures with unverified certificates, malicious actors could gain unauthorized access to systems or data.

Mitigation Strategies

The vulnerability is fixed in Szafir SDK version 463. Immediate mitigation should include upgrading to version 463 or later to ensure the cryptographic digital signature verification process correctly validates the trust status of the signer's certificate.

Compliance Impact

This vulnerability causes the Szafir SDK to incorrectly indicate that a digital signature verification was successful even when the signer's certificate trust status is undetermined. As a result, consuming applications may treat unverified signatures as valid, enabling authentication bypass and user impersonation.

Such authentication bypass and user impersonation risks can lead to violations of security requirements in common standards and regulations like GDPR and HIPAA, which mandate strong authentication and data integrity controls to protect personal and sensitive information.

Therefore, this vulnerability could negatively impact compliance by undermining the trustworthiness of digital signatures used for authentication and data validation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9058. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart