Cyber Posture

CVE-2026-40070

HighPublic PoC

Published: 09 April 2026

Published
09 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0001 1.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40070 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Sgbett Bsv-Wallet. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 1.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-7 Software, Firmware, and Information Integrity good match
prevent

Requires cryptographic integrity verification of information such as certificates prior to storage or use, directly addressing the failure to verify certifier signatures before persistence.

SC-17 Public Key Infrastructure Certificates good match
prevent

Mandates validation of certificates by verifying signatures against trusted anchors, preventing storage and subsequent use of forged identity certificates.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of identified software flaws, such as adding signature verification to the BSV Ruby SDK's acquire_certificate method.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1553.002 Code Signing Defense Impairment
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools.
attack.mitre.org →
Why these techniques?

Vulnerability allows network exploitation of exposed acquire_certificate API to inject forged certificates by skipping signature verification (CWE-347), directly enabling T1190 for initial access and T1553.002 for subverting trust by making invalid signed artifacts appear authentic.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields…

more

(including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate.

Deeper analysisAI

CVE-2026-40070 affects the BSV Ruby SDK, a Ruby library for interacting with the BSV blockchain, specifically versions from 0.3.1 up to but not including 0.8.2. The vulnerability resides in the BSV::Wallet::WalletClient#acquire_certificate method, which persists certificate records to local storage without verifying the certifier's cryptographic signature over the certificate contents (CWE-347: Improper Verification of Cryptographic Signature). In the 'direct' acquisition_protocol, the caller provides all certificate fields, including the signature, and the record is stored verbatim. In the 'issuance' protocol, the client sends a POST request to a specified certifier URL and stores the signature from the response body unchecked.

An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). In 'direct' mode, anyone able to invoke the API can supply a forged certificate complete with a fake signature. In 'issuance' mode, an attacker controlling the targeted certifier endpoint can respond with a tampered certificate. Successful exploitation allows forging identity certificates that appear fully authentic when queried via list_certificates or prove_certificate methods, leading to high confidentiality (C:H) and integrity (I:H) impacts with no availability disruption (A:N), as scored at CVSS 8.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

The GitHub security advisory (GHSA-hc36-c89j-5f4j) and related pull request #306 detail the fix implemented in commit 4992e8a265fd914a7eeb0405c69d1ff0122a84cc, which adds signature verification prior to storage. Affected users should upgrade to version 0.8.2 or later. Additional context is available in issue #305 and the brc.dev/52 advisory.

Details

CWE(s)
CWE-347

Affected Products

sgbett
bsv-wallet
0.1.2 — 0.3.4
sgbett
bsv ruby sdk
0.3.1 — 0.8.2

CVEs Like This One

CVE-2026-40069Same product: Sgbett Bsv Ruby Sdk
CVE-2026-33895Shared CWE-347
CVE-2026-4600Shared CWE-347
CVE-2025-27773Shared CWE-347
CVE-2026-5466Shared CWE-347
CVE-2026-38651Shared CWE-347
CVE-2026-34377Shared CWE-347
CVE-2026-20997Shared CWE-347
CVE-2026-3338Shared CWE-347
CVE-2026-24032Shared CWE-347

References