Skip to main content

Jwt Attack CVE-2026-33487

HIGH
Improper Verification of Cryptographic Signature (CWE-347)
2026-03-26 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Updated
Apr 20, 2026 - 14:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 20, 2026 - 14:22 vuln.today
cvss_changed
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 26, 2026 - 17:45 vuln.today
CVE Published
Mar 26, 2026 - 17:17 nvd
HIGH 7.5

DescriptionCVE.org

goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the validateSignature function in validate.go goes through the references in the SignedInfo block to find one that matches the signed element's ID. In Go versions before 1.22, or when go.mod uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable _ref instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the ref pointer will always end up pointing to the last element in the SignedInfo.References slice after the loop. goxmlsig version 1.6.0 contains a patch.

AnalysisAI

XML Digital Signature validation in russellhaering/goxmldsig library prior to version 1.6.0 can be bypassed due to a Go loop variable capture bug, allowing remote unauthenticated attackers to forge or manipulate XML signatures without detection. The vulnerability affects applications using Go versions before 1.22 or older go.mod configurations, enabling integrity violations in SAML authentication, document signing, and other XML-DSig implementations. EPSS score of 0.02% suggests low observed exploitation probability, with no confirmed active exploitation (not in CISA KEV). Vendor patch available in version 1.6.0.

Technical ContextAI

The vulnerability stems from a classic Go loop variable capture issue in the validateSignature function. In Go versions before 1.22, taking the address of a loop variable (&_ref) inside the loop creates a pointer that references the loop variable's memory location rather than the value at each iteration. Consequently, after the loop completes, all captured pointers point to the final element in the SignedInfo.References slice. This affects XML Digital Signature (XMLDSig) validation, a W3C standard used to cryptographically sign and verify XML documents. The CWE-347 classification (Improper Verification of Cryptographic Signature) accurately captures the root cause: the signature validation logic fails to correctly match references to signed elements, allowing an attacker to craft XML documents where the signature appears valid but references wrong or manipulated content. This impacts applications using goxmldsig for SAML assertions, signed XML documents, or federated authentication systems where signature integrity is critical for trust decisions.

RemediationAI

Upgrade goxmldsig to version 1.6.0 or later, which contains a fix for the loop variable capture issue. Obtain the patched version from https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-479m-364c-43vc. For SUSE environments, apply SUSE-SU-2026:1205 update available at https://www.suse.com/support/update/SUSE-SU-2026:1205/. Alternative mitigation: upgrade Go compiler to version 1.22 or later AND update go.mod to specify go 1.22+, which resolves the underlying language-level loop variable semantics issue even without library upgrade-however, this approach requires careful testing of the entire application codebase for compatibility. If immediate patching is not feasible, implement defense-in-depth controls: add explicit signature reference validation logic in application code that verifies each reference ID matches exactly one element before accepting signatures, treat signature validation failures conservatively by rejecting ambiguous or multi-match scenarios rather than defaulting to acceptance, and enable verbose logging of signature validation processes to detect potential exploitation attempts. Note that compensating controls add code complexity and may impact performance of high-volume XML processing pipelines. Monitor SAML authentication logs for anomalies such as unexpected successful authentications or duplicate reference IDs in signed assertions.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-33487 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy