Path Traversal Vulnerability in AutoScript and Autofirma
- Deployable services alongside AutoScript and Autofirma: the afirma-signature-retriever module.
INCIBE has coordinated the disclosure of a critically severe vulnerability affecting the `afirma-signature-retriever` module of AutoScript and Autofirma, which are maintained by the State Agency for Digital Administration, under the Ministry for Digital Transformation and the Civil Service. The vulnerability was independently discovered by David Martínez González and Cosme Vázquez Tomé.
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
- CVE-2026-9159: CVSS v4.0: 8.8 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N | CWE-22
- Identification of the affected WARs:
- You should check whether the following files are deployed on the servers:
- afirma-signature-storage.war
- afirma-signature-retriever.war
- Another way to identify them is by checking the following paths, which are published on the server where these services are installed:
- The routes above apply if the base servlet is the root. Otherwise, add the appropriate route after DOMAIN.
- You should check whether the following files are deployed on the servers:
- Updating the WAR files:
- If any of the previous WAR files are currently deployed, they must be updated with the corrected version. The download links are:
- afirma-signature-storage v1.10
https://administracionelectronica.gob.es/ctt/resources/Soluciones/138/Descargas/afirma-signature-storage-1-10.zip?idIniciativa=138&idElemento=29813 - afirma-signature-retriever v1.10
https://administracionelectronica.gob.es/ctt/resources/Soluciones/138/Descargas/afirma-signature-retriever-1-10.zip?idIniciativa=138&idElemento=29814
- afirma-signature-storage v1.10
- Recommended steps:
- 1. Temporarily stop the application server service.
- 2. Replace the vulnerable WAR files with the new, updated version provided.
- 3. Delete the associated deployed directory, if it exists (to force a redeployment).
- 4. Restart the service.
- 5. Verify that the new services have been deployed correctly.
- This can be done by making requests from the browser or using CURL to access the following URLs:
- https://DOMINIO/afirma-signature-storage/StorageService?v=2&op=PUT&id=test&dat=SG9sYSBNdW5kbyE=
It will return "OK" - https://DOMINIO/afirma-signature-retriever/RetrieveService?v=2&op=GET&id=test
It will return "SG9sYSBNdW 5kbyE="
- https://DOMINIO/afirma-signature-storage/StorageService?v=2&op=PUT&id=test&dat=SG9sYSBNdW5kbyE=
- These links apply if the base servlet is the root. Otherwise, add the appropriate path after DOMAIN.
- If any of the previous WAR files are currently deployed, they must be updated with the corrected version. The download links are:
CVE-2026-9159: Path traversal vulnerability in the afirma-signature-retriever module, caused by insufficient validation of the ‘id’ parameter. By injecting directory sequences (e.g., ../), an attacker could navigate beyond the intended directory and access
arbitrary files on the system. This could allow the disclosure and deletion of sensitive files or application configuration files,
enabling the retrieval and deletion of any file from the deployment server over the Internet.
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2026-9159 | Alta | No | Agencia Estatal de Administración Digital |
