{"id":"CVE-2026-40070","summary":"bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)","details":"BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate.","aliases":["GHSA-hc36-c89j-5f4j"],"modified":"2026-07-15T01:49:03.016167498Z","published":"2026-04-09T17:26:51.495Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40070.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-347"]},"references":[{"type":"WEB","url":"https://brc.dev/52"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40070.json"},{"type":"ADVISORY","url":"https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40070"},{"type":"REPORT","url":"https://github.com/sgbett/bsv-ruby-sdk/issues/305"},{"type":"FIX","url":"https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc"},{"type":"FIX","url":"https://github.com/sgbett/bsv-ruby-sdk/pull/306"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sgbett/bsv-ruby-sdk","events":[{"introduced":"5a335de39a0c2235de31bf81befd6698103670de"},{"fixed":"7ae8d49e81763aba3cd27a827769698030c1bf83"},{"introduced":"b74f4acf44e915adba0d367445927d6a560ea486"},{"fixed":"7ae8d49e81763aba3cd27a827769698030c1bf83"},{"fixed":"4992e8a265fd914a7eeb0405c69d1ff0122a84cc"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"cpe":["cpe:2.3:a:sgbett:bsv-wallet:*:*:*:*:*:ruby:*:*","cpe:2.3:a:sgbett:bsv_ruby_sdk:*:*:*:*:*:ruby:*:*"],"extracted_events":[{"introduced":"0.1.2"},{"fixed":"0.3.4"},{"introduced":"0.3.1"},{"fixed":"0.8.2"}]}}],"versions":["v0.8.1","v0.8.0","wallet-v0.3.3","wallet-v0.3.2","wallet-v0.3.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40070.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}