CVE-2026-0809 identifies a vulnerability in the Streamsoft Prestiż software, specifically version 12.2.363.17, where a custom token encoding algorithm used to protect the KSeF (Krajowy System e-Faktur) token is weak and susceptible to guessing attacks. The KSeF token is critical for the electronic invoicing system in Poland, and the vulnerability arises because the encoding method does not sufficiently obfuscate or secure the token values. Attackers can analyze tokens with known values to reverse-engineer or predict the encoding pattern, enabling them to guess valid tokens without needing authentication or user interaction. This flaw is categorized under CWE-261, which involves weak encoding for passwords or sensitive data, indicating that the encoding does not provide adequate security guarantees. The vulnerability is remotely exploitable over the network, with low attack complexity and no privileges required, making it accessible to a wide range of attackers. The issue was addressed and fixed in Streamsoft Prestiż version 20.0.380.92. Although no active exploits have been reported, the potential for unauthorized access to the KSeF tokens could lead to fraudulent invoicing or data manipulation within the e-invoicing system. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) reflects a medium severity rating with a base score of 6.3, highlighting the vulnerability's moderate impact on confidentiality and ease of exploitation.

The primary impact of CVE-2026-0809 is the potential compromise of the confidentiality and integrity of KSeF tokens used in the Polish national e-invoicing system. If attackers successfully guess valid tokens, they could impersonate legitimate users or manipulate invoicing data, leading to fraudulent transactions, financial losses, and reputational damage for affected organizations. Since the vulnerability allows remote exploitation without authentication or user interaction, it broadens the attack surface significantly. Organizations relying on Streamsoft Prestiż for e-invoicing may face regulatory compliance issues and operational disruptions if attackers exploit this flaw. Additionally, the exposure of token values could facilitate further attacks against connected systems or services that trust these tokens. Although availability is not directly impacted, the indirect consequences of data manipulation and fraud could cause significant business interruptions. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time. The vulnerability's impact is most critical for entities operating within Poland's e-invoicing ecosystem but could extend to any international organizations using the affected software version.

1. Immediate upgrade to Streamsoft Prestiż version 20.0.380.92 or later, where the vulnerability has been fixed, is the most effective mitigation. 2. Implement network segmentation and restrict access to the Streamsoft Prestiż application servers to trusted internal networks only, reducing exposure to remote attackers. 3. Monitor and audit token usage logs for unusual patterns or repeated failed attempts to guess tokens, which may indicate exploitation attempts. 4. Employ additional application-layer encryption or tokenization mechanisms if possible, to add layers of security beyond the built-in encoding. 5. Conduct regular security assessments and penetration testing focused on authentication and token management components. 6. Educate staff and users about the importance of timely patching and secure handling of sensitive tokens. 7. Coordinate with Streamsoft support and national cybersecurity authorities for updates and guidance on secure deployment practices. 8. Consider implementing anomaly detection systems that can flag suspicious activities related to token usage or e-invoicing transactions. These steps go beyond generic advice by focusing on network controls, monitoring, and layered security to mitigate risks while patching is underway or in case of delayed upgrades.