{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": [
              "cpe:2.3:a:sgbett:bsv-wallet:*:*:*:*:*:ruby:*:*",
              "cpe:2.3:a:sgbett:bsv_ruby_sdk:*:*:*:*:*:ruby:*:*"
            ],
            "extracted_events": [
              {
                "introduced": "0.1.2"
              },
              {
                "fixed": "0.3.4"
              },
              {
                "introduced": "0.3.1"
              },
              {
                "fixed": "0.8.2"
              }
            ],
            "source": [
              "CPE_RANGE",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "5a335de39a0c2235de31bf81befd6698103670de"
            },
            {
              "fixed": "7ae8d49e81763aba3cd27a827769698030c1bf83"
            },
            {
              "introduced": "b74f4acf44e915adba0d367445927d6a560ea486"
            },
            {
              "fixed": "7ae8d49e81763aba3cd27a827769698030c1bf83"
            },
            {
              "fixed": "4992e8a265fd914a7eeb0405c69d1ff0122a84cc"
            }
          ],
          "repo": "https://github.com/sgbett/bsv-ruby-sdk",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-hc36-c89j-5f4j"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-347"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40070.json"
  },
  "details": "BSV Ruby SDK is the Ruby SDK for the BSV blockchain. From 0.3.1 to before 0.8.2, BSV::Wallet::WalletClient#acquire_certificate persists certificate records to storage without verifying the certifier's signature over the certificate contents. In acquisition_protocol: 'direct', the caller supplies all certificate fields (including signature:) and the record is written to storage verbatim. In acquisition_protocol: 'issuance', the client POSTs to a certifier URL and writes whatever signature the response body contains, also without verification. An attacker who can reach either API (or who controls a certifier endpoint targeted by the issuance path) can forge identity certificates that subsequently appear authentic to list_certificates and prove_certificate.",
  "id": "CVE-2026-40070",
  "modified": "2026-07-08T05:39:30.480783602Z",
  "published": "2026-04-09T17:26:51.495Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://brc.dev/52"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40070.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/sgbett/bsv-ruby-sdk/security/advisories/GHSA-hc36-c89j-5f4j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40070"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/sgbett/bsv-ruby-sdk/issues/305"
    },
    {
      "type": "FIX",
      "url": "https://github.com/sgbett/bsv-ruby-sdk/commit/4992e8a265fd914a7eeb0405c69d1ff0122a84cc"
    },
    {
      "type": "FIX",
      "url": "https://github.com/sgbett/bsv-ruby-sdk/pull/306"
    }
  ],
  "schema_version": "1.7.5",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)"
}