Cyber Resilience

CVE-2026-4600

HighPublic PoCUpdated

Published: 23 March 2026

Published
23 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.1 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 4.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4600 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Kjur Jsrsasign. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4600 affects versions of the jsrsasign JavaScript package prior to 11.1.1, specifically due to improper verification of cryptographic signatures in the DSA domain-parameter validation implemented in KJUR.crypto.DSA.setPublic and the related DSA/X509 verification flow in src/dsa-2.0.js. This vulnerability, classified under CWE-347 (Improper Verification of Cryptographic Signature), allows attackers to bypass signature validation by providing malicious domain parameters, such as g=1, y=1, and a fixed r=1, which force the verification equation to hold true regardless of the input hash value. The issue carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts.

Remote attackers with no privileges or user interaction required can exploit this vulnerability over the network, though it demands high attack complexity. By crafting DSA signatures or X.509 certificates with the specified invalid parameters, adversaries can trick the affected jsrsasign verification functions into accepting forged cryptographic artifacts as valid, potentially enabling impersonation, tampering with signed data, or deployment of malicious certificates in applications relying on this library for DSA-based signature or X.509 validation.

Advisories and patch references recommend upgrading to jsrsasign version 11.1.1 or later, where the fix is implemented via commit 37b4c06b145c7bfd6bc2a6df5d0a12c56b15ef60 in pull request #646. Additional details are available from Snyk's vulnerability report (SNYK-JS-JSRSASIGN-15370940) and proof-of-concept gists demonstrating the domain parameter manipulation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that…

more

X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1553.002 Code Signing Defense Impairment
Adversaries may create, acquire, or steal code signing materials to sign their malware or tools.
Why these techniques?

CVE enables remote exploitation of apps using the library (T1190) and directly bypasses cryptographic signature verification for forged artifacts/certificates (T1553.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4598Same product: Kjur Jsrsasign
CVE-2026-4599Same product: Kjur Jsrsasign
CVE-2026-4602Same product: Kjur Jsrsasign
CVE-2026-33895Shared CWE-347
CVE-2026-40070Shared CWE-347
CVE-2025-27773Shared CWE-347
CVE-2026-34840Shared CWE-347
CVE-2026-23965Shared CWE-347
CVE-2026-5050Shared CWE-347
CVE-2023-25574Shared CWE-347

Affected Assets

kjur
jsrsasign
≤ 11.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of software flaws, directly mitigating CVE-2026-4600 by patching jsrsasign to version 11.1.1 or later where DSA domain-parameter validation is fixed.

prevent

Mandates implementation of cryptographic protections using compliant modules and standards, preventing reliance on flawed JavaScript libraries like jsrsasign for DSA signature and X.509 verification.

detect

Enables vulnerability scanning to identify deployments of vulnerable jsrsasign versions affected by improper DSA domain-parameter validation, facilitating remediation before exploitation.

References