Description
Use of a custom token encoding algorithm in Streamsoft Prestiż software allows the value of the KSeF (Krajowy System e-Faktur) token to be guessed after analyzing how tokens with know values are encoded.

This issue was fixed in version 20.0.380.92.
Published: 2026-03-12
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass / Token Forgery
Action: Patch
AI Analysis

Impact

The vulnerability arises from Streamsoft Prestiż’s use of a custom, non‑standard encoding algorithm for the KSeF (Krajowy System e‑Faktur) token. Because the encoding can be reverse‑engineered by observing tokens with known values, an attacker can predict or forge valid tokens. This effectively creates an authentication bypass that permits unauthorized access to the KSeF system. The weakness is categorized as CWE‑261, which involves improper storage or handling of secrets.

Affected Systems

The affected product is Streamsoft Prestiż. The vendor has indicated that the issue was corrected in release 20.0.380.92. The specific versions prior to this patch are not enumerated in the advisory, so any installation leveraging the older custom encoding algorithm is presumed vulnerable. Administrators should verify the product version and apply the noted patch when possible.

Risk and Exploitability

The CVSS score of 6.3 signals moderate severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely occur remotely, by collecting legitimate tokens and using the predictable encoding to generate valid authentication tokens. The requirement for initial token observation limits the attack surface, but once a token is spoofed, the attacker gains full access through that token.

Generated by OpenCVE AI on March 18, 2026 at 14:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch to upgrade Streamsoft Prestiż to version 20.0.380.92 or later.
  • If the patch cannot be applied immediately, consider disabling or restricting use of KSeF token authentication until a secure implementation is available.
  • Monitor application logs for anomalous or repeated token usage that may indicate token forgery.
  • Maintain current system backups and enable intrusion detection to detect unauthorized use of forged tokens.

Generated by OpenCVE AI on March 18, 2026 at 14:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Streamsoft
Streamsoft streamsoft Prestiż
Vendors & Products Streamsoft
Streamsoft streamsoft Prestiż

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description Use of a custom token encoding algorithm in Streamsoft Prestiż software allows the value of the KSeF (Krajowy System e-Faktur) token to be guessed after analyzing how tokens with know values are encoded. This issue was fixed in version 20.0.380.92.
Title Weak KSeF token encoding in Streamsoft Prestiż
Weaknesses CWE-261
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Streamsoft Streamsoft Prestiż
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-03-12T14:04:53.073Z

Reserved: 2026-01-09T14:56:38.137Z

Link: CVE-2026-0809

cve-icon Vulnrichment

Updated: 2026-03-12T14:04:22.959Z

cve-icon NVD

Status : Deferred

Published: 2026-03-12T13:16:00.723

Modified: 2026-04-27T19:22:08.623

Link: CVE-2026-0809

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:48Z

Weaknesses