PT-2026-43045 · Unknown · Szafir Sdk
Michał Leszczyński
·
Published
2026-05-25
·
Updated
2026-05-28
·
CVE-2026-9058
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Szafir SDK versions prior to 463
Description
The software returns a success status code from the cryptographic digital signature verification process when the trust status of the signer's certificate cannot be established. Specifically, the path
/VerifyingTaskItem/Signature/VerificationResult/Result/@code returns 0 (Positively verified) even if /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType is set to nondetermined. This improper certificate verification allows consuming applications to treat signatures as valid despite an unverified certificate chain, which can lead to authentication bypass and user impersonation.Recommendations
Update to version 463.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Szafir Sdk