CVE-2026-9058

Summary

Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation.

This issue was fixed in version 463.

Affected Software

VendorProductVersion RangeStatus
Krajowa Izba RozliczeniowaSzafir SDK0 < 463affected

Weaknesses

  • CWE-637: CWE-637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
  • CWE-393: CWE-393: Return of Wrong Status Code

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References