Full Report
Weak Token Encoding vulnerability (CVE-2026-0809) has been found in Streamsoft Prestiż software.
Analysis Summary
# Vulnerability: Weak Token Encoding in Streamsoft Prestiż
## CVE Details
- **CVE ID**: CVE-2026-0809
- **CVSS Score**: Not explicitly provided in the source (Severity typically ranges Medium to High for credential exposure)
- **CWE**: CWE-261 (Weak Encoding for Password)
## Affected Systems
- **Products**: Streamsoft Prestiż
- **Versions**: From 12.2.363.17 to 20.0.380.91
- **Configurations**: Systems utilizing the KSeF (Krajowy System e-Faktur) integration.
## Vulnerability Description
The software employs a custom token encoding algorithm rather than a robust cryptographic standard. Because the encoding logic is predictable, an attacker who analyzes how known values are encoded can reverse-engineer or "guess" the encoded values of KSeF (National e-Invoice System) tokens. This effectively bypasses the confidentiality of the integration tokens.
## Exploitation
- **Status**: Disclosed via Coordinated Vulnerability Disclosure (CVD); no mention of active exploitation in the wild.
- **Complexity**: Likely Medium (Requires analysis of known token-value pairs to derive the algorithm).
- **Attack Vector**: Local/Network (depending on where the encoded tokens are stored or transmitted).
## Impact
- **Confidentiality**: High (Exposure of KSeF tokens could allow unauthorized access to sensitive financial/tax data).
- **Integrity**: Low/Medium (Depending on the permissions associated with the KSeF token).
- **Availability**: None reported.
## Remediation
### Patches
- The vulnerability has been addressed in **version 20.0.380.92**. Users should upgrade to this version or higher immediately.
### Workarounds
- No specific workarounds are provided. Rotation of KSeF tokens after patching is recommended if a compromise is suspected.
## Detection
- **Indicators of Compromise**: Unauthorized access logs within the KSeF system or unusual API calls associated with the software’s integration.
- **Detection methods and tools**: Security audits of the software versioning and monitoring for unexpected data exports via the KSeF module.
## References
- CERT Polska Advisory: hxxps[://]cert[.]pl/en/posts/2026/03/CVE-2026-0809/
- CVE Record: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-0809
- CWE-261 Definition: hxxps[://]cwe[.]mitre[.]org/data/definitions/261[.]html