Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-9058

Gravedad CVSS v4.0:
CRÍTICA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
25/05/2026
Última modificación:
26/05/2026

Descripción

*** Pendiente de traducción *** Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer&amp;#39;s certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation.<br /> <br /> This issue was fixed in version 463.