The vulnerability CVE-2026-26275 affects the httpsig-rs library's httpsig-hyper extension, which implements HTTP message signature verification. The root cause is the incorrect use of Rust's matches! macro in digest verification logic prior to version 0.0.23. Specifically, the code snippet `if matches!(digest, _expected_digest)` mistakenly treats `_expected_digest` as a pattern binding rather than performing a value equality check. This logic flaw causes the digest verification to unconditionally succeed, even when the computed digest does not match the expected digest value. As a result, applications relying on this digest verification step may fail to detect tampering or modification of HTTP message bodies, compromising message integrity. The vulnerability is classified under CWE-354 (Improper Validation of Integrity Check Value) and CWE-697 (Incorrect Comparison). The fix introduced in version 0.0.23 replaces the matches! macro usage with a proper value comparison and adds a constant-time comparison function to mitigate timing attacks, enhancing defense-in-depth. Regression tests were also added to prevent recurrence. The vulnerability can be exploited remotely without authentication or user interaction, making it a significant risk for any system using vulnerable versions of httpsig-rs for HTTP message signature validation. No known exploits are currently reported in the wild. Users are strongly advised to upgrade to version 0.0.23 or later. If immediate upgrade is not possible, relying solely on Digest verification should be avoided, and full HTTP message signature validation should be enforced at the application layer to mitigate risk.

This vulnerability undermines the integrity assurance of HTTP message signatures by allowing digest verification to falsely succeed. Attackers capable of intercepting or modifying HTTP traffic can alter message bodies without detection, potentially injecting malicious content, altering commands, or corrupting data. This can lead to unauthorized actions, data corruption, or bypass of security controls relying on message integrity. Since the flaw requires no authentication and can be exploited remotely, it poses a high risk to any system using affected versions of httpsig-rs for critical HTTP message validation. The impact is particularly severe for applications that rely solely on Digest header verification without additional signature validation layers. While availability and confidentiality are not directly impacted, the integrity compromise can facilitate further attacks or unauthorized access. Organizations using this library in web services, APIs, or microservices architectures are at risk of message tampering attacks that could disrupt business operations or lead to data breaches.

The primary mitigation is to upgrade the httpsig-rs library to version 0.0.23 or later, which contains the fix for this vulnerability. This upgrade replaces the incorrect matches! macro usage with proper value and constant-time comparisons, restoring correct digest verification. For organizations unable to upgrade immediately, it is critical to avoid relying solely on Digest header verification for message integrity. Instead, enforce full HTTP message signature verification at the application layer, ensuring that all signature components are validated correctly. Implement additional integrity checks or cryptographic protections where possible. Conduct thorough code reviews and testing to verify that message signature validation is robust and not bypassable. Monitor network traffic for signs of message tampering or anomalies. Finally, apply regression testing to prevent reintroduction of similar logic errors in future updates.