CVE-2026-44900

Name of the Vulnerable Software and Affected Versions epa4all-client (affected versions not specified)

Description A signature bypass exists in the isTrusted() function of the SignedPublicKeysTrustValidatorImpl class. The ECDSA signature verification process discards the boolean return value of the Signature.verify() function. Although the system performs certificate chain validation, OCSP checks, and signature algorithm setup, it fails to verify if the signature actually matches, resulting in the function returning true for any structurally valid signature.

Recommendations Update to the version that includes the fix provided in pull request #34.