CVE-2026-4600
Published: 23 March 2026
Summary
CVE-2026-4600 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Jsrsasign Project Jsrsasign. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of software flaws, directly mitigating CVE-2026-4600 by patching jsrsasign to version 11.1.1 or later where DSA domain-parameter validation is fixed.
Mandates implementation of cryptographic protections using compliant modules and standards, preventing reliance on flawed JavaScript libraries like jsrsasign for DSA signature and X.509 verification.
Enables vulnerability scanning to identify deployments of vulnerable jsrsasign versions affected by improper DSA domain-parameter validation, facilitating remediation before exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of apps using the library (T1190) and directly bypasses cryptographic signature verification for forged artifacts/certificates (T1553.002).
NVD Description
Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that…
more
X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.
Deeper analysisAI
CVE-2026-4600 affects versions of the jsrsasign JavaScript package prior to 11.1.1, specifically due to improper verification of cryptographic signatures in the DSA domain-parameter validation implemented in KJUR.crypto.DSA.setPublic and the related DSA/X509 verification flow in src/dsa-2.0.js. This vulnerability, classified under CWE-347 (Improper Verification of Cryptographic Signature), allows attackers to bypass signature validation by providing malicious domain parameters, such as g=1, y=1, and a fixed r=1, which force the verification equation to hold true regardless of the input hash value. The issue carries a CVSS v3.1 base score of 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts.
Remote attackers with no privileges or user interaction required can exploit this vulnerability over the network, though it demands high attack complexity. By crafting DSA signatures or X.509 certificates with the specified invalid parameters, adversaries can trick the affected jsrsasign verification functions into accepting forged cryptographic artifacts as valid, potentially enabling impersonation, tampering with signed data, or deployment of malicious certificates in applications relying on this library for DSA-based signature or X.509 validation.
Advisories and patch references recommend upgrading to jsrsasign version 11.1.1 or later, where the fix is implemented via commit 37b4c06b145c7bfd6bc2a6df5d0a12c56b15ef60 in pull request #646. Additional details are available from Snyk's vulnerability report (SNYK-JS-JSRSASIGN-15370940) and proof-of-concept gists demonstrating the domain parameter manipulation.
Details
- CWE(s)