Cyber Resilience

CVE-2026-26275

High

Published: 19 February 2026

Published
19 February 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0002 5.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26275 is a high-severity Improper Validation of Integrity Check Value (CWE-354) vulnerability in Junkurihara Httpsig-Hyper. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Transmitted Data Manipulation (T1565.002); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-8 (Transmission Confidentiality and Integrity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26275 affects httpsig-hyper, a Hyper extension for HTTP message signatures, in versions prior to 0.0.23. The vulnerability stems from a misuse of Rust's `matches!` macro in Digest header verification, where the comparison `if matches!(digest, _expected_digest)` incorrectly treats `_expected_digest` as a pattern binding rather than performing a value comparison. This results in unconditional success of the match expression, causing digest verification to return success even when the computed digest does not match the expected value. Consequently, applications relying on this library for Digest verification as part of HTTP message signature validation may fail to detect modifications to the message body.

Remote attackers require no privileges or user interaction to exploit this issue over the network with low complexity, as indicated by its CVSS 3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Exploitation allows an attacker to send HTTP messages with tampered bodies that pass Digest verification, bypassing integrity checks tied to HTTP message signatures. This can lead to successful message body modification without detection, with impact limited to high integrity violation and associated CWEs-354 (Improper Validation of Integrity Check Value) and CWE-697 (Incorrect Comparison).

The security advisory and patch details in the httpsig-rs GitHub repository confirm the fix in version 0.0.23, which replaces the erroneous `matches!` usage with a proper value comparison and adds constant-time comparison for defense-in-depth, along with regression tests. Users are strongly advised to upgrade immediately, as there is no reliable workaround; those unable to upgrade should avoid relying solely on Digest verification and enforce full HTTP message signature validation at the application layer. Relevant references include the fixing commits, pull requests, and the GHSA-7v42-g35v-xrch advisory.

EU & UK References

Vulnerability details

httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's `matches!` macro. Specifically, the comparison `if matches!(digest, _expected_digest)` treated…

more

`_expected_digest` as a pattern binding rather than a value comparison, resulting in unconditional success of the match expression. As a consequence, digest verification could incorrectly return success even when the computed digest did not match the expected value. Applications relying on Digest verification as part of HTTP message signature validation may therefore fail to detect message body modification. The severity depends on how the library is integrated and whether additional signature validation layers are enforced. This issue has been fixed in `httpsig-hyper` 0.0.23. The fix replaces the incorrect `matches!` usage with proper value comparison and additionally introduces constant-time comparison for digest verification as defense-in-depth. Regression tests have also been added to prevent reintroduction of this issue. Users are strongly advised to upgrade to the patched version. There is no reliable workaround without upgrading. Users who cannot immediately upgrade should avoid relying solely on Digest verification for message integrity and ensure that full HTTP message signature verification is enforced at the application layer.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Vulnerability bypasses HTTP Digest/signature integrity verification, directly enabling undetected tampering of message bodies in transit.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32105Shared CWE-354
CVE-2026-5479Shared CWE-354
CVE-2026-32313Shared CWE-354
CVE-2023-48795Shared CWE-354
CVE-2026-34210Shared CWE-697
CVE-2026-28402Shared CWE-354
CVE-2025-20343Shared CWE-697
CVE-2026-8597Shared CWE-354
CVE-2026-32600Shared CWE-354
CVE-2026-31839Shared CWE-354

Affected Assets

junkurihara
httpsig-hyper
≤ 0.0.23

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely flaw remediation, such as upgrading httpsig-hyper to version 0.0.23, directly fixing the incorrect Digest header verification logic.

prevent

Requires robust integrity verification mechanisms for software and transmitted information, countering undetected HTTP message body modifications due to flawed digest checks.

prevent

Enforces protection of transmission integrity, mitigating exploitation of the Digest verification bypass in HTTP message signatures.

References