CVE-2026-9058 – Improper Certificate Verification in Szafir SDK

CVE ID :CVE-2026-9058

Published : May 25, 2026, 1:23 p.m. | 38 minutes ago

Description :Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, “Positively verified”) even when the trust status of the signer’s certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == “nondetermined”). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation.

This issue was fixed in version 463.

Severity: 9.3 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…