Description
Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation.

This issue was fixed in version 463.
Published: 2026-05-25
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Szafir SDK incorrectly reports a successful signature verification (code 0) even when the signer's certificate trust status could not be established, as indicated by the nondetermined certificate type. This flaw means that applications relying on the SDK may accept forged or untrusted signatures as valid, allowing an attacker to impersonate legitimate users or bypass authentication controls. The weakness is rooted in improper handling of certificate validation errors (CWE‑393) and insufficient certificate trust verification (CWE‑637).

Affected Systems

Vendors affected include the Krajowa Izba Rozliczeniowa Szafir SDK. All releases before version 463 are impacted, while version 463 and later contain the fix that correctly treats nondetermined certificates as invalid.

Risk and Exploitability

The vulnerability has a CVSS score of 9.3, indicating critical severity. EPSS is not available, so precise exploitation likelihood cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote: an adversary can supply a maliciously signed document or transaction to an application that consumes the SDK, leading to authentication bypass and user impersonation. Because the SDK returns a success status code regardless of the certificate’s trustworthiness, any application without additional verification steps is vulnerable to this bypass.

Generated by OpenCVE AI on May 25, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Szafir SDK to version 463 or later, which implements proper certificate trust validation.
  • If an upgrade is not immediately possible, modify consuming applications to perform independent certificate chain verification before trusting the SDK’s verification result. Reject signatures marked as nondetermined or unavailable.
  • Apply network segmentation and enforce strict access controls on components that process signed data to limit the potential impact of a bypass.

Generated by OpenCVE AI on May 25, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation. This issue was fixed in version 463.
Title Improper Certificate Verification in Szafir SDK
Weaknesses CWE-393
CWE-637
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-25T13:23:09.157Z

Reserved: 2026-05-20T06:36:10.929Z

Link: CVE-2026-9058

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T14:45:16Z

Weaknesses