CVE-2026-40070

Name of the Vulnerable Software and Affected Versions BSV Ruby SDK versions 0.3.1 through 0.8.1 BSV Ruby Wallet versions 0.1.2 through 0.3.3

Description The BSV Ruby SDK and Wallet contain a flaw in the acquire certificate function, which does not verify the certifier's signature over the certificate contents. This affects both the 'direct' and 'issuance' acquisition protocols. In the 'direct' protocol, the caller provides all certificate fields, including the signature, which is then written to storage without verification. In the 'issuance' protocol, the client posts to a certifier URL and writes the signature from the response body without verification. An attacker who can reach either API or controls a certifier endpoint can forge identity certificates that appear authentic to list certificates and prove certificate. The vulnerable code resides in lib/bsv/wallet interface/wallet client.rb. The downstream impact involves potential credential forgery, as applications relying on the wallet's certificate store as a source of truth for identity attributes are vulnerable.

Recommendations Upgrade to BSV Ruby SDK version 0.8.2 or later. Upgrade to BSV Ruby Wallet version 0.3.4 or later.