Description
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate.
Published: 2026-04-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Forged identity certificates can be created and accepted as authentic.
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows unverified certifier signatures to be stored during the certificate acquisition process, whether through the direct or issuance protocol. Because the client writes the signature it receives directly to storage, an attacker can supply or forge a certifier signature that will subsequently appear valid to list_certificates and prove_certificate calls. This flaw permits the creation of false identity certificates that an application will treat as legitimate, potentially enabling impersonation or unauthorized operations on the BSV network. The weakness is a classic example of improper validation of user data (CWE-347).

Affected Systems

The issue affects the sgbett BSV Ruby SDK, BSV SDK, and BSV Wallet products. Version numbers from 0.3.1 up to, but not including, 0.8.2 are vulnerable. Systems running these libraries that expose the acquire_certificate API are exposed to risk, especially those that permit external callers to request certificates or control a certifier endpoint.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability. No EPSS score is available, and the issue is not listed in CISA’s KEV catalog, but the attack vector is straightforward: an attacker can send a crafted request to either the direct or issuance acquire_certificate endpoint, or control a certifier endpoint and supply a forged signature. The exploit has minimal prerequisites—simply the ability to communicate with the API—and therefore the likelihood of exploitation is high. The resulting impact ranges from identity spoofing to potentially fraudulent transactions if certificate-based authorization is used.

Generated by OpenCVE AI on April 9, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BSV Ruby SDK, BSV SDK, and BSV Wallet to a version that includes the signature verification fix (≥0.8.2).
  • Restrict access to the acquire_certificate API so that only trusted clients or internal networks can invoke it, and apply firewall or network segmentation as needed.
  • If an upgrade is not immediately possible, modify the code to verify the certifier’s signature before persisting the certificate record. If code changes are not feasible, disable unused acquisition protocols (direct or issuance) to reduce the attack surface.

Generated by OpenCVE AI on April 9, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hc36-c89j-5f4j bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)
History

Fri, 24 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Sgbett bsv Ruby Sdk
CPEs cpe:2.3:a:sgbett:bsv-wallet:*:*:*:*:*:ruby:*:*
cpe:2.3:a:sgbett:bsv_ruby_sdk:*:*:*:*:*:ruby:*:*
Vendors & Products Sgbett bsv Ruby Sdk

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Sgbett
Sgbett bsv-ruby-sdk
Sgbett bsv-sdk
Sgbett bsv-wallet
Vendors & Products Sgbett
Sgbett bsv-ruby-sdk
Sgbett bsv-sdk
Sgbett bsv-wallet

Thu, 09 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate.
Title bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Sgbett Bsv-ruby-sdk Bsv-sdk Bsv-wallet Bsv Ruby Sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T15:38:58.154Z

Reserved: 2026-04-09T00:39:12.204Z

Link: CVE-2026-40070

cve-icon Vulnrichment

Updated: 2026-04-13T15:28:18.351Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T18:17:03.203

Modified: 2026-04-24T17:03:39.437

Link: CVE-2026-40070

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:31:55Z

Weaknesses