{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40070", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T00:39:12.204Z", "datePublished": "2026-04-09T17:26:51.495Z", "dateUpdated": "2026-04-13T15:38:58.154Z"}, "containers": {"cna": {"title": "bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)", "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j"}, {"name": "https://github.com/sgbett/bsv-ruby-sdk/issues/305", "tags": ["x_refsource_MISC"], "url": "https://github.com/sgbett/bsv-ruby-sdk/issues/305"}, {"name": "https://github.com/sgbett/bsv-ruby-sdk/pull/306", "tags": ["x_refsource_MISC"], "url": "https://github.com/sgbett/bsv-ruby-sdk/pull/306"}, {"name": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc", "tags": ["x_refsource_MISC"], "url": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc"}, {"name": "https://brc.dev/52", "tags": ["x_refsource_MISC"], "url": "https://brc.dev/52"}], "affected": [{"vendor": "sgbett", "product": "bsv-ruby-sdk", "versions": [{"version": ">= 0.3.1, < 0.8.2", "status": "affected"}]}, {"vendor": "sgbett", "product": "bsv-sdk", "versions": [{"version": ">= 0.3.1, < 0.8.2", "status": "affected"}]}, {"vendor": "sgbett", "product": "bsv-wallet", "versions": [{"version": ">= 0.1.2, < 0.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T17:26:51.495Z"}, "descriptions": [{"lang": "en", "value": "BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate."}], "source": {"advisory": "GHSA-hc36-c89j-5f4j", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T15:29:59.716749Z", "id": "CVE-2026-40070", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:38:58.154Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40070", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T15:29:59.716749Z"}}}], "references": [{"url": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:28:18.351Z"}}], "cna": {"title": "bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)", "source": {"advisory": "GHSA-hc36-c89j-5f4j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "sgbett", "product": "bsv-ruby-sdk", "versions": [{"status": "affected", "version": ">= 0.3.1, < 0.8.2"}]}, {"vendor": "sgbett", "product": "bsv-sdk", "versions": [{"status": "affected", "version": ">= 0.3.1, < 0.8.2"}]}, {"vendor": "sgbett", "product": "bsv-wallet", "versions": [{"status": "affected", "version": ">= 0.1.2, < 0.3.4"}]}], "references": [{"url": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j", "name": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sgbett/bsv-ruby-sdk/issues/305", "name": "https://github.com/sgbett/bsv-ruby-sdk/issues/305", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sgbett/bsv-ruby-sdk/pull/306", "name": "https://github.com/sgbett/bsv-ruby-sdk/pull/306", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc", "name": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc", "tags": ["x_refsource_MISC"]}, {"url": "https://brc.dev/52", "name": "https://brc.dev/52", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T17:26:51.495Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40070", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:38:58.154Z", "dateReserved": "2026-04-09T00:39:12.204Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T17:26:51.495Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sgbett:bsv-wallet:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "64FDA9B4-4B7C-41B0-9736-991D19533DF6", "versionEndExcluding": "0.3.4", "versionStartIncluding": "0.1.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:sgbett:bsv_ruby_sdk:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "634CB7F0-563B-42FC-BCF4-3F222AA63921", "versionEndExcluding": "0.8.2", "versionStartIncluding": "0.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate."}], "id": "CVE-2026-40070", "lastModified": "2026-04-24T17:03:39.437", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T18:17:03.203", "references": [{"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://brc.dev/52"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/sgbett/bsv-ruby-sdk/issues/305"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/sgbett/bsv-ruby-sdk/pull/306"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.3.1,0.8.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "bsv-ruby-sdk", "source": "cna", "vendor": "sgbett"}, "product": "bsv-ruby-sdk", "vendor": "sgbett"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.3.1,0.8.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "bsv-sdk", "source": "cna", "vendor": "sgbett"}, "product": "bsv-sdk", "vendor": "sgbett"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.1.2,0.3.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "bsv-wallet", "source": "cna", "vendor": "sgbett"}, "product": "bsv-wallet", "vendor": "sgbett"}], "analysis": {"en": {"generated_at": "2026-04-09T19:22:15.132992+00:00", "value": {"mitigation_remediation": ["Upgrade the BSV Ruby SDK, BSV SDK, and BSV Wallet to a version that includes the signature verification fix (\u22650.8.2).", "Restrict access to the acquire_certificate API so that only trusted clients or internal networks can invoke it, and apply firewall or network segmentation as needed.", "If an upgrade is not immediately possible, modify the code to verify the certifier\u2019s signature before persisting the certificate record. If code changes are not feasible, disable unused acquisition protocols (direct or issuance) to reduce the attack surface."], "summary": {"action": "Immediate Patch", "impact": "Forged identity certificates can be created and accepted as authentic."}, "threat_synthesis": {"affected_systems": "The issue affects the sgbett BSV Ruby SDK, BSV SDK, and BSV Wallet products. Version numbers from 0.3.1 up to, but not including, 0.8.2 are vulnerable. Systems running these libraries that expose the acquire_certificate API are exposed to risk, especially those that permit external callers to request certificates or control a certifier endpoint.", "description_and_impact": "The vulnerability allows unverified certifier signatures to be stored during the certificate acquisition process, whether through the direct or issuance protocol. Because the client writes the signature it receives directly to storage, an attacker can supply or forge a certifier signature that will subsequently appear valid to list_certificates and prove_certificate calls. This flaw permits the creation of false identity certificates that an application will treat as legitimate, potentially enabling impersonation or unauthorized operations on the BSV network. The weakness is a classic example of improper validation of user data (CWE-347).", "risk_and_exploitability": "The CVSS score of 8.1 indicates a high severity vulnerability. No EPSS score is available, and the issue is not listed in CISA\u2019s KEV catalog, but the attack vector is straightforward: an attacker can send a crafted request to either the direct or issuance acquire_certificate endpoint, or control a certifier endpoint and supply a forged signature. The exploit has minimal prerequisites\u2014simply the ability to communicate with the API\u2014and therefore the likelihood of exploitation is high. The resulting impact ranges from identity spoofing to potentially fraudulent transactions if certificate-based authorization is used."}}}}, "created": "2026-04-10T08:52:44.426883+00:00", "updated": "2026-04-10T09:31:55.025668+00:00", "vendors": ["sgbett", "sgbett$PRODUCT$bsv-ruby-sdk", "sgbett$PRODUCT$bsv-sdk", "sgbett$PRODUCT$bsv-wallet"]}