CVE-2025-26787 identifies a security vulnerability in Keyfactor SignServer versions prior to 7.2 related to the container startup logic. The vulnerability stems from an Admin CLI command designed to configure certificate access permissions during the initial startup of the SignServer container. This command sets a property called 'allowany' which permits any user possessing a valid and trusted client authentication certificate to connect to the SignServer. The intended behavior is that this permissive setting is applied only once at the first startup, after which administrators can restrict access to specific certificates to enforce tighter security controls. However, a logic error causes this Admin CLI command to execute on every container restart, not just the initial one. Consequently, the access configuration is reset to the permissive 'allowany' state each time the container restarts, effectively overriding any more restrictive access policies previously set by administrators. This results in a persistent misconfiguration that could allow unauthorized users with valid client certificates to gain access to the SignServer, potentially enabling them to perform unauthorized certificate operations such as signing or management. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk to environments relying on Keyfactor SignServer for secure certificate lifecycle management. The absence of a CVSS score necessitates an assessment based on the impact on confidentiality, integrity, and availability, the ease of exploitation (no authentication bypass but misuse of valid certificates), and the scope of affected systems. The vulnerability affects all deployments using vulnerable versions of Keyfactor SignServer containers that undergo restarts without patching. The issue was publicly disclosed on December 22, 2025, and remediation requires upgrading to version 7.2 or later where the startup logic is corrected to prevent resetting access permissions on container restarts.

For European organizations, this vulnerability could lead to unauthorized access to certificate management functions within Keyfactor SignServer environments. Since certificates are foundational to securing communications, authenticating users, and enabling encryption, unauthorized access could compromise the confidentiality and integrity of sensitive data and communications. Attackers with valid client certificates could exploit the permissive 'allowany' setting to connect to the SignServer and potentially issue fraudulent certificates, revoke legitimate ones, or disrupt certificate services. This could undermine trust in digital identities, disrupt secure communications, and facilitate further attacks such as man-in-the-middle or impersonation attacks. Organizations in sectors with high reliance on PKI infrastructure—such as finance, government, telecommunications, and critical infrastructure—face elevated risks. The vulnerability also increases the attack surface during container restarts, which may occur frequently in cloud or container orchestration environments common in Europe. Although no exploits are known, the ease of exploitation is moderate since attackers must possess valid client certificates, but the resetting of access controls significantly lowers barriers to unauthorized access once inside the network or with compromised certificates.

1. Upgrade immediately to Keyfactor SignServer version 7.2 or later, where the container startup logic has been corrected to prevent resetting access permissions on restarts. 2. Audit current SignServer container configurations and restart procedures to verify that access controls have not been inadvertently reset to 'allowany'. 3. Implement strict certificate issuance and revocation policies to minimize the risk of misuse of valid client certificates. 4. Monitor SignServer logs and access patterns for unusual connections or certificate operations that could indicate exploitation attempts. 5. Restrict network access to SignServer containers to trusted hosts and networks, reducing exposure to unauthorized clients. 6. Employ container orchestration best practices to control and audit container restarts, ensuring that security configurations persist across restarts. 7. Educate administrators on the importance of verifying access control settings after container restarts until the patch is applied. 8. Consider implementing additional authentication layers or network segmentation around SignServer deployments to limit potential attack vectors.