Description

BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate.

INFO

Published Date :

2026-04-09T17:26:51.495Z

Last Modified :

2026-04-09T17:26:51.495Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40070 vulnerability.

Vendors Products
Sgbett
  • Bsv-ruby-sdk
  • Bsv-sdk
  • Bsv-wallet
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40070.

URL Resource
https://brc.dev/52 cve-icon cve-icon
https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc cve-icon cve-icon
https://github.com/sgbett/bsv-ruby-sdk/issues/305 cve-icon cve-icon
https://github.com/sgbett/bsv-ruby-sdk/pull/306 cve-icon cve-icon
https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact