PatchSiren cyber security CVE debrief
CVE-2026-9058 Krajowa Izba Rozliczeniowa CVE debrief
A critical vulnerability in Szafir SDK causes cryptographic digital signature verification to return a success status code even when the signer's certificate trust status cannot be established. The SDK reports 'Positively verified' (Result/@code == 0) despite the certificate type being 'nondetermined', indicating an unverified certificate chain. This logic error allows consuming applications to incorrectly treat signatures as valid, enabling authentication bypass and user impersonation attacks. The vulnerability stems from improper handling of certificate trust validation results, where the SDK fails to propagate certificate chain verification failures to the final verification status. Applications relying on this SDK for signature validation may accept forged or untrusted signatures as legitimate. The issue was resolved in Szafir SDK version 463.
- Vendor
- Krajowa Izba Rozliczeniowa
- Product
- Szafir SDK
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
Organizations using Szafir SDK for digital signature verification in authentication, document signing, or transaction approval workflows; developers integrating Polish electronic signature (ePUAP/PZEP) capabilities; government and enterprise systems relying on qualified electronic signatures for legal validity; security teams monitoring for authentication bypass vulnerabilities in cryptographic implementations
Technical summary
The Szafir SDK's signature verification API returns XML output where /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0 indicates 'Positively verified'. However, this success code is returned even when /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == 'nondetermined', meaning the certificate chain trust could not be established. Applications checking only the Result code without inspecting the certificateType attribute incorrectly accept signatures with unverified certificates. This enables attackers to present signatures with self-signed, expired, or otherwise untrusted certificates that the SDK marks as successfully verified. The vulnerability represents a status code validation flaw where cryptographic verification completeness is not properly correlated with certificate trust establishment.
Defensive priority
CRITICAL
Recommended defensive actions
- Upgrade Szafir SDK to version 463 or later immediately
- Audit application code for reliance on Szafir SDK signature verification results without independent certificate chain validation
- Implement secondary certificate trust verification independent of SDK return codes
- Monitor for suspicious authentication events involving signature-based authentication mechanisms
- Review access logs for anomalous successful authentications that may indicate exploitation attempts
- Contact application vendors to confirm Szafir SDK dependency and patch status
Evidence notes
CVE published 2026-05-25; modified 2026-05-26. CERT.PL advisory confirms vulnerability details and fix version. CVSS 4.0 vector indicates network-attackable, low-complexity vulnerability with high confidentiality and integrity impact. CWE-393 (Return of Wrong Status Code) and CWE-637 (Unnecessary Complexity in Protection Mechanisms) classified.
Official resources
2026-05-25T14:16:27.977Z