CVE-2026-9058

Severity CVSS v4.0:
CRITICAL
Type:
Unavailable / Other
Publication date:
25/05/2026
Last modified:
26/05/2026

Description

Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer&amp;#39;s certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation.<br /> <br /> This issue was fixed in version 463.