CVE-2026-26275 (GCVE-0-2026-26275)
Vulnerability from cvelistv5 – Published: 2026-02-19 21:25 – Updated: 2026-02-20 15:42
VLAI?
Title
httpsig-hyper has Improper Digest Verification that May Allow Message Integrity Bypass
Summary
httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's `matches!` macro. Specifically, the comparison `if matches!(digest, _expected_digest)` treated `_expected_digest` as a pattern binding rather than a value comparison, resulting in unconditional success of the match expression. As a consequence, digest verification could incorrectly return success even when the computed digest did not match the expected value. Applications relying on Digest verification as part of HTTP message signature validation may therefore fail to detect message body modification. The severity depends on how the library is integrated and whether additional signature validation layers are enforced. This issue has been fixed in `httpsig-hyper` 0.0.23. The fix replaces the incorrect `matches!` usage with proper value comparison and additionally introduces constant-time comparison for digest verification as defense-in-depth. Regression tests have also been added to prevent reintroduction of this issue. Users are strongly advised to upgrade to the patched version. There is no reliable workaround without upgrading. Users who cannot immediately upgrade should avoid relying solely on Digest verification for message integrity and ensure that full HTTP message signature verification is enforced at the application layer.
Severity ?
7.5 (High)
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| junkurihara | httpsig-rs |
Affected:
< 0.0.23
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-26275",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T15:32:12.586184Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T15:42:05.498Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "httpsig-rs",
"vendor": "junkurihara",
"versions": [
{
"status": "affected",
"version": "\u003c 0.0.23"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust\u0027s `matches!` macro. Specifically, the comparison `if matches!(digest, _expected_digest)` treated `_expected_digest` as a pattern binding rather than a value comparison, resulting in unconditional success of the match expression. As a consequence, digest verification could incorrectly return success even when the computed digest did not match the expected value. Applications relying on Digest verification as part of HTTP message signature validation may therefore fail to detect message body modification. The severity depends on how the library is integrated and whether additional signature validation layers are enforced. This issue has been fixed in `httpsig-hyper` 0.0.23. The fix replaces the incorrect `matches!` usage with proper value comparison and additionally introduces constant-time comparison for digest verification as defense-in-depth. Regression tests have also been added to prevent reintroduction of this issue. Users are strongly advised to upgrade to the patched version. There is no reliable workaround without upgrading. Users who cannot immediately upgrade should avoid relying solely on Digest verification for message integrity and ensure that full HTTP message signature verification is enforced at the application layer."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-354",
"description": "CWE-354: Improper Validation of Integrity Check Value",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697: Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:25:37.335Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/junkurihara/httpsig-rs/security/advisories/GHSA-7v42-g35v-xrch",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/junkurihara/httpsig-rs/security/advisories/GHSA-7v42-g35v-xrch"
},
{
"name": "https://github.com/junkurihara/httpsig-rs/pull/14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/junkurihara/httpsig-rs/pull/14"
},
{
"name": "https://github.com/junkurihara/httpsig-rs/pull/15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/junkurihara/httpsig-rs/pull/15"
},
{
"name": "https://github.com/junkurihara/httpsig-rs/commit/5533f596c650377e02f4aa9e3eb8dba591b87370",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/junkurihara/httpsig-rs/commit/5533f596c650377e02f4aa9e3eb8dba591b87370"
},
{
"name": "https://github.com/junkurihara/httpsig-rs/commit/65cbd19b395180a4bba09a89746c4b14ccb8d297",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/junkurihara/httpsig-rs/commit/65cbd19b395180a4bba09a89746c4b14ccb8d297"
}
],
"source": {
"advisory": "GHSA-7v42-g35v-xrch",
"discovery": "UNKNOWN"
},
"title": "httpsig-hyper has Improper Digest Verification that May Allow Message Integrity Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-26275",
"datePublished": "2026-02-19T21:25:37.335Z",
"dateReserved": "2026-02-12T17:10:53.413Z",
"dateUpdated": "2026-02-20T15:42:05.498Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-26275\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-19T22:16:46.493\",\"lastModified\":\"2026-03-03T17:44:32.643\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust\u0027s `matches!` macro. Specifically, the comparison `if matches!(digest, _expected_digest)` treated `_expected_digest` as a pattern binding rather than a value comparison, resulting in unconditional success of the match expression. As a consequence, digest verification could incorrectly return success even when the computed digest did not match the expected value. Applications relying on Digest verification as part of HTTP message signature validation may therefore fail to detect message body modification. The severity depends on how the library is integrated and whether additional signature validation layers are enforced. This issue has been fixed in `httpsig-hyper` 0.0.23. The fix replaces the incorrect `matches!` usage with proper value comparison and additionally introduces constant-time comparison for digest verification as defense-in-depth. Regression tests have also been added to prevent reintroduction of this issue. Users are strongly advised to upgrade to the patched version. There is no reliable workaround without upgrading. Users who cannot immediately upgrade should avoid relying solely on Digest verification for message integrity and ensure that full HTTP message signature verification is enforced at the application layer.\"},{\"lang\":\"es\",\"value\":\"httpsig-hyper es una extensi\u00f3n hyper para firmas de mensajes HTTP. Se descubri\u00f3 un problema en \u0027httpsig-hyper\u0027 anterior a la versi\u00f3n 0.0.23 donde la verificaci\u00f3n del encabezado Digest podr\u00eda ser exitosa, aunque de forma indebida, por el mal funcionamiento de la macro \u0027matches!\u0027 de Rust. Espec\u00edficamente, la comparaci\u00f3n \u0027if matches!(digest, _expected_digest)\u0027 trataba \u0027_expected_digest\u0027 como una vinculaci\u00f3n de patr\u00f3n en lugar de una comparaci\u00f3n de valor, lo que resultaba en el \u00e9xito incondicional de la expresi\u00f3n de coincidencia. Como consecuencia, la verificaci\u00f3n del digest pod\u00eda devolver \u00e9xito incorrectamente incluso cuando el digest calculado no coincid\u00eda con el valor esperado. Por lo tanto, las aplicaciones que dependen de la verificaci\u00f3n de Digest como parte de la validaci\u00f3n de firmas de mensajes HTTP, pueden no detectar la modificaci\u00f3n del cuerpo del mensaje. La gravedad depende de c\u00f3mo se integra la biblioteca y si se aplican capas adicionales de validaci\u00f3n de firmas. Este problema ha sido solucionado en \u0027httpsig-hyper\u0027 0.0.23. La soluci\u00f3n reemplaza el uso incorrecto de \u0027matches!\u0027 por una comparaci\u00f3n de valor adecuada y adicionalmente introduce una comparaci\u00f3n de tiempo constante para la verificaci\u00f3n del digest como defensa en profundidad. Tambi\u00e9n se han a\u00f1adido pruebas de regresi\u00f3n para evitar la reintroducci\u00f3n de este problema. Se recomienda encarecidamente a los usuarios que actualicen a la versi\u00f3n parcheada. No hay una soluci\u00f3n alternativa fiable sin actualizar. Los usuarios que no puedan actualizar inmediatamente deben evitar depender \u00fanicamente de la verificaci\u00f3n de Digest para la integridad del mensaje y asegurarse de que la verificaci\u00f3n completa de la firma de mensajes HTTP se aplique en la capa de aplicaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-354\"},{\"lang\":\"en\",\"value\":\"CWE-697\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:junkurihara:httpsig-hyper:*:*:*:*:*:rust:*:*\",\"versionEndExcluding\":\"0.0.23\",\"matchCriteriaId\":\"8D02B03A-2C49-46ED-A5C0-EF91104582CA\"}]}]}],\"references\":[{\"url\":\"https://github.com/junkurihara/httpsig-rs/commit/5533f596c650377e02f4aa9e3eb8dba591b87370\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/junkurihara/httpsig-rs/commit/65cbd19b395180a4bba09a89746c4b14ccb8d297\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/junkurihara/httpsig-rs/pull/14\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/junkurihara/httpsig-rs/pull/15\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Patch\"]},{\"url\":\"https://github.com/junkurihara/httpsig-rs/security/advisories/GHSA-7v42-g35v-xrch\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-26275\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-20T15:32:12.586184Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-20T15:32:14.371Z\"}}], \"cna\": {\"title\": \"httpsig-hyper has Improper Digest Verification that May Allow Message Integrity Bypass\", \"source\": {\"advisory\": \"GHSA-7v42-g35v-xrch\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"junkurihara\", \"product\": \"httpsig-rs\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.0.23\"}]}], \"references\": [{\"url\": \"https://github.com/junkurihara/httpsig-rs/security/advisories/GHSA-7v42-g35v-xrch\", \"name\": \"https://github.com/junkurihara/httpsig-rs/security/advisories/GHSA-7v42-g35v-xrch\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/junkurihara/httpsig-rs/pull/14\", \"name\": \"https://github.com/junkurihara/httpsig-rs/pull/14\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/junkurihara/httpsig-rs/pull/15\", \"name\": \"https://github.com/junkurihara/httpsig-rs/pull/15\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/junkurihara/httpsig-rs/commit/5533f596c650377e02f4aa9e3eb8dba591b87370\", \"name\": \"https://github.com/junkurihara/httpsig-rs/commit/5533f596c650377e02f4aa9e3eb8dba591b87370\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/junkurihara/httpsig-rs/commit/65cbd19b395180a4bba09a89746c4b14ccb8d297\", \"name\": \"https://github.com/junkurihara/httpsig-rs/commit/65cbd19b395180a4bba09a89746c4b14ccb8d297\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust\u0027s `matches!` macro. Specifically, the comparison `if matches!(digest, _expected_digest)` treated `_expected_digest` as a pattern binding rather than a value comparison, resulting in unconditional success of the match expression. As a consequence, digest verification could incorrectly return success even when the computed digest did not match the expected value. Applications relying on Digest verification as part of HTTP message signature validation may therefore fail to detect message body modification. The severity depends on how the library is integrated and whether additional signature validation layers are enforced. This issue has been fixed in `httpsig-hyper` 0.0.23. The fix replaces the incorrect `matches!` usage with proper value comparison and additionally introduces constant-time comparison for digest verification as defense-in-depth. Regression tests have also been added to prevent reintroduction of this issue. Users are strongly advised to upgrade to the patched version. There is no reliable workaround without upgrading. Users who cannot immediately upgrade should avoid relying solely on Digest verification for message integrity and ensure that full HTTP message signature verification is enforced at the application layer.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-354\", \"description\": \"CWE-354: Improper Validation of Integrity Check Value\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-697\", \"description\": \"CWE-697: Incorrect Comparison\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-19T21:25:37.335Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-26275\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-20T15:42:05.498Z\", \"dateReserved\": \"2026-02-12T17:10:53.413Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-19T21:25:37.335Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…