CWE-637
Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured, implemented, or used.
CVE-2026-9058 (GCVE-0-2026-9058)
Vulnerability from cvelistv5 – Published: 2026-05-25 13:23 – Updated: 2026-05-25 13:23
VLAI
Title
Improper Certificate Verification in Szafir SDK
Summary
Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, "Positively verified") even when the trust status of the signer's certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == "nondetermined"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation.
This issue was fixed in version 463.
Severity
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/posts/2026/05/CVE-2026-9058 | third-party-advisory |
| https://www.elektronicznypodpis.pl/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Krajowa Izba Rozliczeniowa | Szafir SDK |
Affected:
0 , < 463
(custom)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Szafir SDK",
"vendor": "Krajowa Izba Rozliczeniowa",
"versions": [
{
"lessThan": "463",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Micha\u0142 Leszczy\u0144ski (icedev.pl)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSzafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. \u003ci\u003e/VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0,\u003c/i\u003e \"Positively verified\") even when the trust status of the signer\u0027s certificate could not be established (i.e. \u003ci\u003e/VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == \"nondetermined\")\u003c/i\u003e. This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation.\u003cbr\u003e\u003c/span\u003e\u003cbr\u003eThis issue was fixed in version \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e463\u003c/span\u003e."
}
],
"value": "Szafir SDK returns a success status code from the cryptographic digital signature verification process (i.e. /VerifyingTaskItem/Signature/VerificationResult/Result/@code == 0, \"Positively verified\") even when the trust status of the signer\u0027s certificate could not be established (i.e. /VerifyingTaskItem/Signature/VerificationResult/SigningCertificate/@certificateType == \"nondetermined\"). This causes consuming applications to incorrectly treat the signature as valid despite an unverified certificate chain, enabling authentication bypass and user impersonation.\n\nThis issue was fixed in version 463."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-637",
"description": "CWE-637 Unnecessary Complexity in Protection Mechanism (Not Using \u0027Economy of Mechanism\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-393",
"description": "CWE-393: Return of Wrong Status Code",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-25T13:23:09.157Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/posts/2026/05/CVE-2026-9058"
},
{
"tags": [
"product"
],
"url": "https://www.elektronicznypodpis.pl/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Improper Certificate Verification in Szafir SDK",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-9058",
"datePublished": "2026-05-25T13:23:09.157Z",
"dateReserved": "2026-05-20T06:36:10.929Z",
"dateUpdated": "2026-05-25T13:23:09.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- Avoid complex security mechanisms when simpler ones would meet requirements. Avoid complex data models, and unnecessarily complex operations. Adopt architectures that provide guarantees, simplify understanding through elegance and abstraction, and that can be implemented similarly. Modularize, isolate and do not trust complex code, and apply other secure programming principles on these modules (e.g., least privilege) to mitigate vulnerabilities.
No CAPEC attack patterns related to this CWE.