Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
CVE-2026-9058: Szafir SDK Falsely Verifies Digital Signatures
CVE-2026-9058
Summary
The Szafir SDK incorrectly reports a digital signature as valid when the signer's certificate cannot be verified. This allows attackers to bypass authentication and impersonate users. Affected applications should update to version 463 or later to fix this issue.
Original title
Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified"...
Original description
Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation.
This issue was fixed in version 463.
This issue was fixed in version 463.
nvd CVSS4.0
9.3
Vulnerability type
CWE-393
CWE-637
Published: 25 May 2026 · Updated: 1 Jun 2026 · First seen: 26 May 2026