CVE-2026-26928 is a vulnerability in the SzafirHost application by Krajowa Izba Rozliczeniowa, identified as CWE-354: Improper Validation of Integrity Check Value. SzafirHost downloads necessary files dynamically in the context of the initiating web page and updates its dynamic libraries accordingly. While JAR files are validated against a trusted hash list or verified via vendor digital signatures, the application fails to perform similar integrity or signature checks on uploaded dynamic libraries such as DLL (Windows), SO (Linux), JNILIB (Java Native Interface libraries), or DYLIB (macOS). This lack of validation allows an attacker to supply a malicious dynamic library file, which the application saves in the user's temporary folder and subsequently executes. Since the vulnerability requires no authentication or user interaction and can be exploited remotely over the network, it poses a significant risk. The vulnerability was assigned a CVSS 4.0 base score of 8.7 (high severity), reflecting its ease of exploitation and potential impact on system integrity and availability. The issue was addressed and fixed in SzafirHost version 1.1.0. No known exploits are reported in the wild yet, but the vulnerability's nature suggests a high likelihood of exploitation once public details are widely known.

The vulnerability enables remote attackers to execute arbitrary code on systems running vulnerable versions of SzafirHost by uploading malicious dynamic libraries that are executed without proper integrity checks. This can lead to full system compromise, allowing attackers to steal sensitive data, disrupt services, or establish persistent footholds. The lack of authentication and user interaction requirements broadens the attack surface, making automated exploitation feasible. Organizations relying on SzafirHost for financial or transactional processing, especially in Poland and regions where Krajowa Izba Rozliczeniowa's services are used, face risks of operational disruption, data breaches, and reputational damage. The execution of arbitrary code can also facilitate lateral movement within networks, increasing the scope of compromise. Given the critical role of Krajowa Izba Rozliczeniowa in financial infrastructure, the impact extends to potential systemic risks in affected sectors.

Organizations should immediately upgrade SzafirHost to version 1.1.0 or later, where the vulnerability is fixed. Until patching is possible, restrict network access to SzafirHost instances to trusted sources only and implement application-layer firewalls to detect and block suspicious file uploads. Employ endpoint protection solutions capable of detecting anomalous execution of dynamic libraries from temporary directories. Conduct thorough monitoring and logging of file uploads and execution events related to SzafirHost. Additionally, implement strict file integrity monitoring on directories used by SzafirHost for temporary storage. Educate users and administrators about the risk of executing untrusted dynamic libraries and enforce the principle of least privilege to limit the impact of potential exploitation. Finally, coordinate with the vendor for any additional security advisories or mitigation tools.