Ruby SDK Vulnerability in BSV Blockchain by BSV
CVE-2026-40070

8.1HIGH

Key Information:

Vendor

Sgbett

Status
Bsv-ruby-sdk
Bsv-sdk
Bsv-wallet
Vendor
CVE Published:
9 April 2026

What is CVE-2026-40070?

The BSV Ruby SDK is vulnerable due to improper verification of certificate signatures during the storage process. The method BSV::Wallet::WalletClient#acquire_certificate can lead to the saving of forged identity certificates when an attacker exploits the acquisition protocol. Specifically, in the 'direct' acquisition protocol, the client submits all certificate details, including the signature, which is then saved without validation. In the 'issuance' protocol, when a client communicates with a certifier URL, the response signature is also accepted without verification. This lack of signature validation allows an attacker with access to either API to create fraudulent certificates that would appear valid when listed or verified by users.

Affected Version(s)

bsv-ruby-sdk >= 0.3.1, < 0.8.2

bsv-sdk >= 0.3.1, < 0.8.2

bsv-wallet >= 0.1.2, < 0.3.4

References

https://github.com/sgbett/bsv-ruby-sdk/security/advisorie...
x_refsource_CONFIRM
https://github.com/sgbett/bsv-ruby-sdk/issues/305
x_refsource_MISC
https://github.com/sgbett/bsv-ruby-sdk/pull/306
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.