Home

Description

Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation. This issue was fixed in version 463.

PUBLISHED Reserved 2026-05-20 | Published 2026-05-25 | Updated 2026-05-26 | Assigner CERT-PL




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')

CWE-393: Return of Wrong Status Code

Product status

Default status
unaffected

Any version before 463
affected

Credits

Michał Leszczyński (icedev.pl) finder

References

cert.pl/posts/2026/05/CVE-2026-9058 third-party-advisory

www.elektronicznypodpis.pl/ product

cve.org (CVE-2026-9058)

nvd.nist.gov (CVE-2026-9058)

Download JSON