ctipilot.ch

Szafir SDK (KIR) improper certificate verification / auth bypass — Polish qualified e-signature SDK; fixed v463

cve · CVE-2026-9058

Coverage timeline
1
first 2026-05-26 → last 2026-05-31
Peak priority
high
1 high
Sources cited
3
3 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
1
pinned v19.1 · see below

ATT&CK techniques

1 technique observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Credential Access TA0006

T1606Forge Web Credentials×1

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.

Evidence: 2026-05-26/cve-2026-9058-szafir-sdk-kir-signature-verification-routine · ATT&CK page ↗

Story timeline

  1. 2026-05-26CVE-2026-9058 — Szafir SDK (KIR): signature-verification routine reports success on an untrusted certificate chain, enabling auth bypass in Polish e-government
    trending-vulnerabilities

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • attack.mitre.org1 (33%)
  • cert.pl1 (33%)
  • euvd.enisa.europa.eu1 (33%)

Entries about Szafir SDK (KIR) improper certificate verification / auth bypass — Polish qualified e-signature SDK; fixed v463 (1)

2026-05-26 · view entry permalink →

CVE-2026-9058 — Szafir SDK (KIR): signature-verification routine reports success on an untrusted certificate chain, enabling auth bypass in Polish e-government

CERT Polska disclosed CVE-2026-9058, an improper-certificate-validation flaw (CWE-393 / CWE-637) scored CVSS 4.0 9.3 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N) in Szafir SDK, the qualified-electronic-signature library developed by clearinghouse Krajowa Izba Rozliczeniowa (KIR) and embedded across Polish public-administration systems (CERT Polska, 2026-05-25; ENISA EUVD-2026-31679, 2026-05-25). The defect is precise and instructive: the SDK returns the success code /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0 ("Positively verified") from cryptographic signature verification even when the signer certificate's trust status is nondetermined — i.e. the chain could not be validated to a trusted root. A consuming application that gates on the result code alone treats a signature backed by an unverifiable or attacker-supplied certificate as valid, yielding authentication bypass and user impersonation without possession of a legitimate qualified certificate (T1606). Any application that consumes Szafir to accept qualified electronic signatures is therefore exposed to forged-signature acceptance — squarely the qualified-signature use case across Polish e-government and regulated industry; the issue is fixed in version 463.

This clears the § 2 bar on ENISA EUVD CVSS ≥ 9.0 and as a national-CERT primary disclosure for its own jurisdiction. Defender action beyond upgrading to ≥ 463: applications must validate the certificate trust status independently of the result code — check …/SigningCertificate/@certificateType != "nondetermined" before accepting the signature — and audit verification logs for events where Result/@code == 0 coincided with a nondetermined certificate, which indicates likely abuse. The broader lesson generalises to any CH/EU qualified-signature stack: never collapse "cryptographically intact" and "anchored to a trusted root" into a single boolean. No in-the-wild exploitation is reported.

vulnerability26 May 05:00Zmulti-sourceOpen finding ↗