Description
Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation.

This issue was fixed in version 463.
Published: 2026-05-25
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Szafir SDK incorrectly reports a successful signature verification (code 0) even when the signer's certificate trust status could not be established, as indicated by the nondetermined certificate type. This flaw means that applications relying on the SDK may accept forged or untrusted signatures as valid, allowing an attacker to impersonate legitimate users or bypass authentication controls. The weakness is rooted in improper handling of certificate validation errors (CWE‑393) and insufficient certificate trust verification (CWE‑637).

Affected Systems

Vendors affected include the Krajowa Izba Rozliczeniowa Szafir SDK. All releases before version 463 are impacted, while version 463 and later contain the fix that correctly treats nondetermined certificates as invalid.

Risk and Exploitability

The vulnerability has a CVSS score of 9.3, indicating critical severity. EPSS is not available, so precise exploitation likelihood cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote: an adversary can supply a maliciously signed document or transaction to an application that consumes the SDK, leading to authentication bypass and user impersonation. Because the SDK returns a success status code regardless of the certificate’s trustworthiness, any application without additional verification steps is vulnerable to this bypass.

Generated by OpenCVE AI on May 25, 2026 at 14:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Szafir SDK to version 463 or later, which implements proper certificate trust validation.
  • If an upgrade is not immediately possible, modify consuming applications to perform independent certificate chain verification before trusting the SDK’s verification result. Reject signatures marked as nondetermined or unavailable.
  • Apply network segmentation and enforce strict access controls on components that process signed data to limit the potential impact of a bypass.

Generated by OpenCVE AI on May 25, 2026 at 14:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Krajowa Izba Rozliczeniowa
Krajowa Izba Rozliczeniowa szafir Sdk
Vendors & Products Krajowa Izba Rozliczeniowa
Krajowa Izba Rozliczeniowa szafir Sdk

Tue, 26 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 25 May 2026 13:30:00 +0000

Type Values Removed Values Added
Description Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation. This issue was fixed in version 463.
Title Improper Certificate Verification in Szafir SDK
Weaknesses CWE-393
CWE-637
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Krajowa Izba Rozliczeniowa Szafir Sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-26T15:58:01.602Z

Reserved: 2026-05-20T06:36:10.929Z

Link: CVE-2026-9058

cve-icon Vulnrichment

Updated: 2026-05-26T15:57:58.683Z

cve-icon NVD

Status : Deferred

Published: 2026-05-25T14:16:27.977

Modified: 2026-05-26T19:59:22.323

Link: CVE-2026-9058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:05:59Z

Weaknesses
  • CWE-393

    Return of Wrong Status Code

  • CWE-637

    Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')