CVE-2026-9058
CriticalSummary
Szafir SDK returns a success status code from the cryptographic digital signature verification process even when the trust status of the signer's certificate could not be established. This causes consuming applications to incorrectly treat the signature as valid, enabling authentication bypass and user impersonation.
Risk Assessment
Organizations may be exposed to unauthorized access and fraud attacks, as applications may accept unverified signatures as valid.
Recommendation
It is recommended to update to version 463 or newer to fix this vulnerability and ensure proper certificate verification.
Original NVD description (English source)
Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation. This issue was fixed in version 463.

