Jwt Attack
CVE-2026-33487
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the validateSignature function in validate.go goes through the references in the SignedInfo block to find one that matches the signed element's ID. In Go versions before 1.22, or when go.mod uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable _ref instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the ref pointer will always end up pointing to the last element in the SignedInfo.References slice after the loop. goxmlsig version 1.6.0 contains a patch.
AnalysisAI
XML Digital Signature validation in russellhaering/goxmldsig library prior to version 1.6.0 can be bypassed due to a Go loop variable capture bug, allowing remote unauthenticated attackers to forge or manipulate XML signatures without detection. The vulnerability affects applications using Go versions before 1.22 or older go.mod configurations, enabling integrity violations in SAML authentication, document signing, and other XML-DSig implementations. EPSS score of 0.02% suggests low observed exploitation probability, with no confirmed active exploitation (not in CISA KEV). Vendor patch available in version 1.6.0.
Technical ContextAI
The vulnerability stems from a classic Go loop variable capture issue in the validateSignature function. In Go versions before 1.22, taking the address of a loop variable (&_ref) inside the loop creates a pointer that references the loop variable's memory location rather than the value at each iteration. Consequently, after the loop completes, all captured pointers point to the final element in the SignedInfo.References slice. This affects XML Digital Signature (XMLDSig) validation, a W3C standard used to cryptographically sign and verify XML documents. The CWE-347 classification (Improper Verification of Cryptographic Signature) accurately captures the root cause: the signature validation logic fails to correctly match references to signed elements, allowing an attacker to craft XML documents where the signature appears valid but references wrong or manipulated content. This impacts applications using goxmldsig for SAML assertions, signed XML documents, or federated authentication systems where signature integrity is critical for trust decisions.
RemediationAI
Upgrade goxmldsig to version 1.6.0 or later, which contains a fix for the loop variable capture issue. Obtain the patched version from https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-479m-364c-43vc. For SUSE environments, apply SUSE-SU-2026:1205 update available at https://www.suse.com/support/update/SUSE-SU-2026:1205/. Alternative mitigation: upgrade Go compiler to version 1.22 or later AND update go.mod to specify go 1.22+, which resolves the underlying language-level loop variable semantics issue even without library upgrade-however, this approach requires careful testing of the entire application codebase for compatibility. If immediate patching is not feasible, implement defense-in-depth controls: add explicit signature reference validation logic in application code that verifies each reference ID matches exactly one element before accepting signatures, treat signature validation failures conservatively by rejecting ambiguous or multi-match scenarios rather than defaulting to acceptance, and enable verbose logging of signature validation processes to detect potential exploitation attempts. Note that compensating controls add code complexity and may impact performance of high-volume XML processing pipelines. Monitor SAML authentication logs for anomalies such as unexpected successful authentications or duplicate reference IDs in signed assertions.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today