CVE-2026-40070: CVE-2026-40070: Improper Verification of Cryptographic Signature in bsv-ruby-sdk

CVE-2026-40070: Improper Verification of Cryptographic Signature in bsv-ruby-sdk

Vulnerability ID: CVE-2026-40070
CVSS Score: 8.1
Published: 2026-04-09

The bsv-ruby-sdk and bsv-wallet RubyGems fail to cryptographically verify BRC-52 identity certificate signatures, allowing attackers to forge trusted identity credentials.

TL;DR

A missing signature verification check in the BRC-52 certificate acquisition API allows attackers to inject arbitrary forged identity attributes into the wallet storage, subverting downstream identity proofs.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-347
• CVSS Score: 8.1
• Attack Vector: Network
• Impact: High Integrity, High Confidentiality
• Exploit Maturity: Proof-of-Concept
• KEV Listed: False

Affected Systems

• bsv-sdk
• bsv-wallet
• bsv-sdk: >= 0.3.1, < 0.8.2 (Fixed in: 0.8.2)
• bsv-wallet: >= 0.1.2, < 0.3.4 (Fixed in: 0.3.4)

Code Analysis

Commit: 4992e8a

Enforce BRC-52 certificate signature validation on acquisition

Exploit Details

• Security Advisory: Ruby PoC demonstrating direct acquisition bypass with arbitrary signature.

Mitigation Strategies

• Upgrade to patched gem versions.
• Restrict access to certificate acquisition APIs.
• Implement manual BRC-52 signature validation at the application layer.

Remediation Steps:

1. Update Gemfile to specify gem 'bsv-sdk', '>= 0.8.2'.
2. Update Gemfile to specify gem 'bsv-wallet', '>= 0.3.4'.
3. Run bundle update bsv-sdk bsv-wallet to fetch the patched versions.
4. Restart the application to load the updated libraries.

References

• NVD Record CVE-2026-40070
• GitHub Security Advisory GHSA-hc36-c89j-5f4j
• BRC-52 Specification

---

Read the full report for CVE-2026-40070 on our website for more details including interactive diagrams and full exploit analysis.