Description
goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref` instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the `ref` pointer will always end up pointing to the last element in the `SignedInfo.References` slice after the loop. goxmlsig version 1.6.0 contains a patch.
Published: 2026-03-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Signature Bypass
Action: Immediate Patch
AI Analysis

Impact

The loop variable capture flaw in goxmldsig's validateSignature function causes the internal reference pointer to reference the last element in the SignedInfo.References slice, regardless of matches. This allows crafted XML documents to bypass signature verification, enabling an attacker to alter the signed content while still passing validation.

Affected Systems

Affected software includes the goxmldsig library distributed by russellhaering, versions prior to 1.6.0. Any application using this library to process XML signatures is susceptible.

Risk and Exploitability

The vulnerability carries a CVSS base score of 7.5 and has not been marked as commonly exploited. It is not listed in the KEV catalog and no exploit probability score is available. Likely exploitation requires the attacker to supply manipulated XML to a system that relies on goxmldsig for signature validation, such as an HTTP service or an XML processing pipeline.

Generated by OpenCVE AI on March 26, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade goxmldsig to version 1.6.0 or later.
  • If upgrading is not feasible, restrict or validate XML input to ensure only legitimate signed elements are processed.
  • Verify that applications using the library have not been exposed to untrusted XML sources and consider implementing additional input validation.

Generated by OpenCVE AI on March 26, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-479m-364c-43vc validateSignature Loop Variable Capture Signature Bypass in goxmldsig
History

Mon, 30 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Russellhaering
Russellhaering goxmldsig
Vendors & Products Russellhaering
Russellhaering goxmldsig

Thu, 26 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref` instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the `ref` pointer will always end up pointing to the last element in the `SignedInfo.References` slice after the loop. goxmlsig version 1.6.0 contains a patch.
Title goxmldsig has validateSignature Loop Variable Capture Signature Bypass
Weaknesses CWE-347
CWE-682
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Russellhaering Goxmldsig
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T11:16:34.970Z

Reserved: 2026-03-20T16:16:48.971Z

Link: CVE-2026-33487

cve-icon Vulnrichment

Updated: 2026-03-30T11:16:27.338Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T18:16:30.070

Modified: 2026-03-30T13:26:50.827

Link: CVE-2026-33487

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-26T17:17:51Z

Links: CVE-2026-33487 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:56Z

Weaknesses