CVE-2026-40070: CWE-347: Improper Verification of Cryptographic Signature in sgbett bsv-ruby-sdk
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate.
AI Analysis
Technical Summary
The sgbett bsv-ruby-sdk, used for interacting with the BSV blockchain, contains an improper verification of cryptographic signatures (CWE-347) in the WalletClient#acquire_certificate method. Specifically, when acquiring certificates via 'direct' or 'issuance' protocols, the SDK writes certificate records to storage without validating the certifier's signature over the certificate contents. This flaw enables attackers with access to the certificate acquisition APIs or control over certifier endpoints to create forged identity certificates that the SDK treats as valid.
Potential Impact
An attacker exploiting this vulnerability can forge identity certificates that the SDK will accept as authentic. This compromises the integrity of identity verification within applications using the affected SDK versions, potentially allowing unauthorized actions or impersonation. The CVSS 3.1 score of 8.1 reflects high impact on confidentiality and integrity, with no impact on availability.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or remediation level has been provided by the vendor. Users should monitor the vendor's advisory channels for updates and avoid using affected versions (>= 0.3.1, < 0.8.2) in sensitive environments until a fix is available. As a temporary measure, restrict access to the certificate acquisition APIs and certifier endpoints to trusted parties only.
CVE-2026-40070: CWE-347: Improper Verification of Cryptographic Signature in sgbett bsv-ruby-sdk
Description
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The sgbett bsv-ruby-sdk, used for interacting with the BSV blockchain, contains an improper verification of cryptographic signatures (CWE-347) in the WalletClient#acquire_certificate method. Specifically, when acquiring certificates via 'direct' or 'issuance' protocols, the SDK writes certificate records to storage without validating the certifier's signature over the certificate contents. This flaw enables attackers with access to the certificate acquisition APIs or control over certifier endpoints to create forged identity certificates that the SDK treats as valid.
Potential Impact
An attacker exploiting this vulnerability can forge identity certificates that the SDK will accept as authentic. This compromises the integrity of identity verification within applications using the affected SDK versions, potentially allowing unauthorized actions or impersonation. The CVSS 3.1 score of 8.1 reflects high impact on confidentiality and integrity, with no impact on availability.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or remediation level has been provided by the vendor. Users should monitor the vendor's advisory channels for updates and avoid using affected versions (>= 0.3.1, < 0.8.2) in sensitive environments until a fix is available. As a temporary measure, restrict access to the certificate acquisition APIs and certifier endpoints to trusted parties only.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T00:39:12.204Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d7e6ff1cc7ad14dafe8de1
Added to database: 4/9/2026, 5:50:55 PM
Last enriched: 4/17/2026, 12:02:00 PM
Last updated: 5/24/2026, 9:40:05 PM
Views: 93
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.