CVE-2026-33487
Published: 26 March 2026
Summary
CVE-2026-33487 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Goxmldsig Project Goxmldsig. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identifying, reporting, and patching flaws like the loop variable capture in goxmlsig prior to version 1.6.0 to prevent signature validation bypass.
Vulnerability scanning detects deployed systems using vulnerable goxmlsig versions affected by CVE-2026-33487.
Integrity verification tools confirm goxmlsig library versions and detect unauthorized changes that could enable exploitation of the reference mismatch flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation via malicious XML input directly matches T1190; the signature bypass enables forging of signed web credentials such as SAML tokens (T1606.002).
NVD Description
goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the `validateSignature` function in `validate.go` goes through the references in the `SignedInfo` block to find one that matches the signed element's ID. In Go versions before 1.22, or…
more
when `go.mod` uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable `_ref` instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the `ref` pointer will always end up pointing to the last element in the `SignedInfo.References` slice after the loop. goxmlsig version 1.6.0 contains a patch.
Deeper analysisAI
CVE-2026-33487 affects the goxmlsig Go library, which implements XML Digital Signatures, in versions prior to 1.6.0. The vulnerability resides in the `validateSignature` function within `validate.go`, where the code iterates through references in the `SignedInfo` block to match the signed element's ID. Due to a loop variable capture issue in Go versions before 1.22—or when using an older version in `go.mod`—the function takes the address of the loop variable `_ref` instead of its value. Consequently, if multiple references match the ID or the loop logic fails, the `ref` pointer always points to the last element in the `SignedInfo.References` slice. Published on 2026-03-26, the issue carries a CVSS v3.1 score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWE-347 and CWE-682.
A remote, unauthenticated attacker can exploit this vulnerability with low complexity and no user interaction by supplying a malicious XML document containing multiple references in `SignedInfo` that match the target element's ID. This causes the validation to reference the incorrect (last) element, enabling signature validation bypass and high integrity impact, such as accepting forged or altered XML signatures in applications relying on goxmlsig for verification.
goxmlsig version 1.6.0 includes a patch addressing this flaw. Additional details on the vulnerability and remediation are available in the GitHub security advisory at https://github.com/russellhaering/goxmldsig/security/advisories/GHSA-479m-364c-43vc.
Details
- CWE(s)