Full Report
Improper Certificate Verification vulnerability (CVE-2026-9058) has been found in Szafir SDK software.
Analysis Summary
# Vulnerability: Szafir SDK Improper Certificate Verification
## CVE Details
- **CVE ID**: CVE-2026-9058
- **CVSS Score**: Not explicitly provided in the article (High severity implied due to authentication bypass)
- **CWE**: CWE-393 (Return of Wrong Status Code), CWE-637 (Unnecessary Complexity in Protection Mechanism)
## Affected Systems
- **Products**: Szafir SDK (Krajowa Izba Rozliczeniowa)
- **Versions**: All versions prior to 463
- **Configurations**: Applications utilizing Szafir SDK for cryptographic digital signature verification.
## Vulnerability Description
The Szafir SDK suffers from an improper certificate verification flaw. The software returns a "success" status code (code 0, "Positively verified") during the signature verification process even when the trust status of the signer's certificate cannot be established. Specifically, the SDK fails to appropriately handle instances where the `certificateType` is flagged as "nondetermined." This logic error allows consuming applications to treat invalid or untrusted signatures as valid.
## Exploitation
- **Status**: Not reported as exploited in the wild (coordinated disclosure).
- **Complexity**: Medium (Requires crafting a signature with an unverified certificate chain).
- **Attack Vector**: Network (Targeting applications that rely on the SDK for authentication or document validation).
## Impact
- **Confidentiality**: None directly attributed.
- **Integrity**: **High** (Allows for user impersonation and bypass of signature-based integrity checks).
- **Availability**: None directly attributed.
## Remediation
### Patches
- **Version 463**: The vendor has released version 463 which addresses the logic error in the status code return mechanism. Users are urged to upgrade immediately.
### Workarounds
- No specific workarounds are provided. Applications must be updated to use the patched version of the SDK.
## Detection
- **Indicators of Compromise**: Audit logs showing successful signature validations where the certificate chain was incomplete or "nondetermined."
- **Detection Methods**: Developers should manually inspect verification logic to ensure that `certificateType` values are explicitly checked in addition to the primary result code until the patch is applied.
## References
- **Vendor Advisory**: hxxps[://]cert[.]pl/en/posts/2026/05/vulnerability-in-szafir-sdk/
- **CVE Link**: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-9058
- **CWE-393**: hxxps[://]cwe[.]mitre[.]org/data/definitions/393[.]html
- **CWE-637**: hxxps[://]cwe[.]mitre[.]org/data/definitions/637[.]html