CVE Vulnerabilities

CVE-2026-33487

Improper Verification of Cryptographic Signature

Published: Mar 26, 2026 | Modified: Jun 30, 2026
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
7.5 IMPORTANT
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Ubuntu
root.io logo minimus.io logo echo.ai logo

goxmlsig provides XML Digital Signatures implemented in Go. Prior to version 1.6.0, the validateSignature function in validate.go goes through the references in the SignedInfo block to find one that matches the signed elements ID. In Go versions before 1.22, or when go.mod uses an older version, there is a loop variable capture issue. The code takes the address of the loop variable _ref instead of its value. As a result, if more than one reference matches the ID or if the loop logic is incorrect, the ref pointer will always end up pointing to the last element in the SignedInfo.References slice after the loop. goxmlsig version 1.6.0 contains a patch.

Weakness

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Affected Software

NameVendorStart VersionEnd Version
GoxmldsigGoxmldsig_project*1.6.0 (excluding)
Multicluster Global Hub 1.3.4RedHatmulticluster-globalhub/multicluster-globalhub-grafana-rhel9:1779212259*
Multicluster Global Hub 1.4.5RedHatmulticluster-globalhub/multicluster-globalhub-grafana-rhel9:1779579439*
Multicluster Global Hub 1.5.4RedHatmulticluster-globalhub/multicluster-globalhub-grafana-rhel9:1778867753*
Multicluster Global Hub 1.6.2RedHatmulticluster-globalhub/multicluster-globalhub-grafana-rhel9:1780167118*
Red Hat Advanced Cluster Management for Kubernetes 2.15RedHatrhacm2/acm-grafana-rhel9:1777142269*
Red Hat OpenShift GitOps 1.18RedHatopenshift-gitops-1/dex-rhel8:1779116359*
Red Hat OpenShift GitOps 1.19RedHatopenshift-gitops-1/dex-rhel8:1779209965*

References