Login Sign Up

CVE-2026-26275

7.5 HIGH
Authentication Bypass

📋 TL;DR

A logic flaw in httpsig-hyper versions before 0.0.23 causes digest verification to always succeed regardless of actual digest values, allowing message tampering to go undetected. This affects applications using the library for HTTP message signature validation without additional integrity checks. The vulnerability enables attackers to modify message bodies while appearing legitimate.

💻 Affected Systems

Products:
  • httpsig-hyper
Versions: All versions before 0.0.23
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using the library's Digest header verification functionality. Impact severity depends on how the library is integrated and whether additional validation is performed.

📦 What is this software?

Httpsig Hyper by Junkurihara

View all CVEs affecting Httpsig Hyper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete bypass of message integrity protection leading to undetected data manipulation, injection attacks, or privilege escalation depending on application context.

🟠

Likely Case

Message tampering that could lead to data corruption, unauthorized actions, or information disclosure in applications relying solely on this verification.

🟢

If Mitigated

Minimal impact if applications implement additional signature validation layers or message integrity checks beyond the vulnerable library.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending modified HTTP messages to applications using the vulnerable library. No authentication needed if the application accepts external messages.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.0.23

Vendor Advisory: https://github.com/junkurihara/httpsig-rs/security/advisories/GHSA-7v42-g35v-xrch

Restart Required: Yes

Instructions:

1. Update Cargo.toml to specify 'httpsig-hyper = "0.0.23"' or higher
2. Run 'cargo update'
3. Rebuild and redeploy application
4. Restart affected services

🔧 Temporary Workarounds

Disable Digest verification

all

Remove or disable Digest header verification in application code

Modify application code to skip or remove calls to vulnerable digest verification functions

🧯 If You Can't Patch

  • Implement application-layer message integrity checks independent of the library
  • Enforce full HTTP message signature verification with additional validation mechanisms

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or Cargo.toml for httpsig-hyper version < 0.0.23

Check Version:

grep -A2 -B2 httpsig-hyper Cargo.lock || grep httpsig-hyper Cargo.toml

Verify Fix Applied:

Verify version is 0.0.23 or higher in Cargo.lock and test digest verification with mismatched values

📡 Detection & Monitoring

Log Indicators:

  • Unexpected successful digest validations
  • Message processing without proper validation logs
  • Anomalous message acceptance patterns

Network Indicators:

  • HTTP messages with modified bodies but valid signatures
  • Unusual message patterns that should fail validation

SIEM Query:

Not applicable - application-specific logging required

📊 Metadata

CVE ID: CVE-2026-26275
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-354
Published: February 19, 2026
Last Updated: March 3, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-26275, you might also want to check these:

CVE-2025-11543 9.8

This vulnerability allows attackers to bypass integrity checks and install unauthorized firmware on ...

Same vulnerability type (CWE-354)
CVE-2024-25678 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) Library involves mishandled DCID (Destination Connecti...

Same vulnerability type (CWE-354)
CVE-2025-54887 9.1

This vulnerability in the Ruby JWE library allows attackers to brute-force authentication tags in en...

Same vulnerability type (CWE-354)