The vulnerability CVE-2026-33487 affects the russellhaering goxmldsig library, which provides XML Digital Signature functionality in Go. The root cause is a programming error in the validateSignature function within validate.go, where a loop variable capture issue occurs when iterating over the SignedInfo.References slice. Instead of capturing the value of each reference, the code captures the address of the loop variable _ref. Due to Go's loop variable semantics, this results in the pointer ref always pointing to the last reference after the loop completes. Consequently, if multiple references match the signed element's ID or if the loop logic is flawed, the signature validation process may incorrectly verify signatures by validating against the wrong reference. This improper verification violates cryptographic signature integrity (CWE-347) and can lead to acceptance of forged or tampered signatures. The vulnerability affects goxmldsig versions prior to 1.6.0 and is particularly relevant for Go versions before 1.22 or when older module versions are used. The CVSS v3.1 score is 7.5 (high), reflecting that the vulnerability can be exploited remotely without authentication or user interaction, impacting integrity but not confidentiality or availability. No known exploits are currently reported in the wild. The issue was addressed in goxmldsig version 1.6.0 by correcting the loop variable handling to ensure proper signature reference verification.

This vulnerability undermines the integrity guarantees provided by XML Digital Signatures in applications using the affected goxmldsig versions. Attackers could exploit this flaw to bypass signature validation, allowing them to forge or tamper with signed XML documents without detection. This can lead to unauthorized actions, data manipulation, or privilege escalation in systems relying on XML signatures for authentication, authorization, or data integrity. The impact is significant for organizations using goxmldsig in security-sensitive contexts such as SAML assertions, SOAP message security, or other XML-based protocols. Since exploitation requires no authentication or user interaction and can be performed remotely, the attack surface is broad. However, the vulnerability does not affect confidentiality or availability directly. Organizations failing to patch may face risks of data integrity breaches, loss of trust in signed communications, and potential compliance violations.

The primary mitigation is to upgrade the goxmldsig library to version 1.6.0 or later, where the loop variable capture bug is fixed. Organizations should audit their codebases and dependencies to identify usage of goxmldsig and ensure they are not pinned to vulnerable versions. For environments where immediate upgrade is not feasible, applying code-level patches to correct the loop variable handling in validateSignature can serve as a temporary workaround. Additionally, implementing defense-in-depth measures such as validating signatures with alternative libraries or performing additional application-level integrity checks can reduce risk. Monitoring for anomalous XML signature validation failures or unexpected signed document changes may help detect exploitation attempts. Finally, developers should review their use of cryptographic libraries for similar loop variable or pointer misuse patterns to prevent analogous vulnerabilities.