Published April 9, 2026 · Updated April 10, 2026
CVE-2026-40070 affects the BSV Ruby SDK, specifically versions 0.3.1 to before 0.8.2, allowing an attacker to forge identity certificates. The vulnerability arises because the SDK does not verify the certifier's signature when persisting certificate records, enabling malicious actors to store fraudulent certificates that can appear valid. To mitigate this risk, upgrade to version 0.8.2 or later and ensure the integrity of certification processes by implementing signature verification.
BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate.
CVE-2026-40070 affects the BSV Ruby SDK from versions 0.3.1 to before 0.8.2, enabling attackers to forge identity certificates due to unchecked signatures. Upgrade to version 0.8.2 to fix.