The vulnerability CVE-2026-26275 affects the httpsig-hyper Rust library (httpsig-rs) used for HTTP message signature verification. The root cause is the incorrect use of Rust's matches! macro in digest verification logic. Specifically, the code snippet `if matches!(digest, _expected_digest)` mistakenly treats `_expected_digest` as a pattern binding rather than performing a value equality check. This results in the match expression always evaluating to true, causing the Digest header verification to succeed unconditionally. Consequently, applications relying on this library's Digest verification may accept tampered HTTP message bodies without detection, undermining message integrity. The flaw is classified under CWE-354 (Improper Validation of Integrity Check Value) and CWE-697 (Incorrect Comparison). The fix implemented in version 0.0.23 replaces the matches! macro with a proper equality comparison and introduces constant-time comparison to prevent timing attacks. Regression tests were added to prevent recurrence. The vulnerability is exploitable remotely without authentication or user interaction, impacting the integrity of HTTP message signatures. No known exploits are reported in the wild yet. The severity depends on how the library is integrated and whether additional signature validation layers are in place.

This vulnerability compromises the integrity of HTTP message signature verification in applications using vulnerable versions of httpsig-hyper. Attackers can modify HTTP message bodies without detection, potentially enabling message forgery, replay attacks, or injection of malicious content. This can lead to unauthorized actions, data corruption, or bypass of security controls relying on message integrity. Since the flaw allows unconditional digest verification success, it undermines trust in signed HTTP communications, affecting APIs, microservices, and distributed systems that depend on httpsig-rs for secure message validation. The impact is particularly severe in environments where Digest verification is the sole integrity check. Although availability and confidentiality are not directly affected, the integrity breach can facilitate further attacks compromising these properties. Organizations worldwide using Rust-based HTTP signature libraries or frameworks that incorporate httpsig-rs are at risk until patched.

The primary mitigation is to upgrade httpsig-hyper to version 0.0.23 or later, which contains the fix for this vulnerability. Until upgrading is possible, organizations should avoid relying solely on Digest header verification for message integrity. Instead, enforce full HTTP message signature validation at the application layer, including verification of signature headers beyond the Digest. Implement defense-in-depth by combining multiple integrity checks and monitoring for anomalous message modifications. Review and audit code that depends on httpsig-rs to ensure no insecure assumptions about digest verification exist. Employ constant-time comparison techniques where applicable to prevent timing attacks. Additionally, conduct regression testing after upgrades to confirm the vulnerability is resolved and not reintroduced. Maintain awareness of updates from the vendor and monitor for any emerging exploits targeting this vulnerability.