The vulnerability identified as CVE-2026-4600 affects the jsrsasign JavaScript cryptographic library, specifically versions prior to 11.1.1. The root cause lies in improper verification of cryptographic signatures due to inadequate validation of DSA domain parameters within the KJUR.crypto.DSA.setPublic method and the associated DSA/X.509 signature verification process in src/dsa-2.0.js. DSA signatures rely on domain parameters (p, q, g) and public keys (y) to ensure signature validity. However, the vulnerable code does not sufficiently validate these parameters, allowing an attacker to supply malicious values such as g=1, y=1, and a fixed r=1 in the signature. These crafted parameters cause the mathematical verification equation to always return true regardless of the actual message hash, effectively enabling signature forgery. Consequently, attackers can forge DSA signatures or X.509 certificates that the X509.verifySignature() function will accept as valid, completely bypassing cryptographic authentication and integrity checks. This flaw compromises the trust model of any system relying on jsrsasign for cryptographic verification, including web applications, client-side cryptography, and certificate validation workflows. The vulnerability has a CVSS 4.0 base score of 9.1 (critical), reflecting its high impact on confidentiality and integrity, no required privileges or user interaction, but higher attack complexity due to the need to craft specific domain parameters. While no known exploits are reported in the wild, the potential for abuse in impersonation, man-in-the-middle attacks, or unauthorized code signing is significant. The issue was publicly disclosed on March 23, 2026, and fixed in jsrsasign version 11.1.1. Users of affected versions should upgrade immediately to prevent exploitation.

This vulnerability severely undermines the cryptographic assurances provided by jsrsasign, affecting any application or system that uses this library for DSA or X.509 signature verification. Attackers can forge signatures and certificates, enabling impersonation of trusted parties, bypassing authentication mechanisms, and potentially injecting malicious code or commands. This can lead to unauthorized access, data breaches, and disruption of secure communications. The impact extends to web applications, client-side cryptographic operations, certificate validation in browsers or services, and any infrastructure relying on jsrsasign for signature verification. Given the widespread use of JavaScript libraries in web and mobile applications, the scope is broad. Organizations may face reputational damage, regulatory penalties, and operational disruptions if exploited. Although no active exploits are reported, the critical severity and ease of bypassing signature verification make this a high-risk vulnerability that demands urgent remediation.

1. Upgrade jsrsasign to version 11.1.1 or later immediately, as this version contains the patch that properly validates DSA domain parameters and fixes the signature verification flaw. 2. Audit all applications and services that use jsrsasign for cryptographic operations, especially those performing DSA or X.509 signature verification, to ensure they are not using vulnerable versions. 3. Implement additional cryptographic validation layers where possible, such as verifying certificates against trusted certificate authorities and using alternative libraries with robust signature verification. 4. Monitor cryptographic verification logs for anomalies that may indicate forged signatures or certificates. 5. Educate developers and security teams about the risks of improper cryptographic parameter validation and encourage secure coding practices. 6. Consider deploying runtime application self-protection (RASP) or web application firewalls (WAF) with rules to detect suspicious certificate or signature anomalies until patches are fully deployed. 7. Review and update cryptographic policies to prefer stronger algorithms and avoid deprecated or vulnerable signature schemes like DSA when possible.