CVE-2026-26275 - Vulnerability Details

Vendors	Products
Junkurihara	Httpsig-rs

Link	Providers
https://github.com/junkurihara/httpsig-rs/commit/5533f596c650377e02f4aa9e3eb8dba591b87370
https://github.com/junkurihara/httpsig-rs/commit/65cbd19b395180a4bba09a89746c4b14ccb8d297
https://github.com/junkurihara/httpsig-rs/pull/14
https://github.com/junkurihara/httpsig-rs/pull/15
https://github.com/junkurihara/httpsig-rs/security/advisories/GHSA-7v42-g35v-xrch

Type	Values Removed	Values Added
First Time appeared		Junkurihara Junkurihara httpsig-rs
Vendors & Products		Junkurihara Junkurihara httpsig-rs

Type	Values Removed	Values Added
Description		httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's `matches!` macro. Specifically, the comparison `if matches!(digest, _expected_digest)` treated `_expected_digest` as a pattern binding rather than a value comparison, resulting in unconditional success of the match expression. As a consequence, digest verification could incorrectly return success even when the computed digest did not match the expected value. Applications relying on Digest verification as part of HTTP message signature validation may therefore fail to detect message body modification. The severity depends on how the library is integrated and whether additional signature validation layers are enforced. This issue has been fixed in `httpsig-hyper` 0.0.23. The fix replaces the incorrect `matches!` usage with proper value comparison and additionally introduces constant-time comparison for digest verification as defense-in-depth. Regression tests have also been added to prevent reintroduction of this issue. Users are strongly advised to upgrade to the patched version. There is no reliable workaround without upgrading. Users who cannot immediately upgrade should avoid relying solely on Digest verification for message integrity and ensure that full HTTP message signature verification is enforced at the application layer.
Title		httpsig-hyper has Improper Digest Verification that May Allow Message Integrity Bypass
Weaknesses		CWE-354 CWE-697
References		https://github.com/junkurihara/httpsig-rs/commit/5533f596c650377e02f4aa9e3eb8dba591b87370 https://github.com/junkurihara/httpsig-rs/commit/65cbd19b395180a4bba09a89746c4b14ccb8d297 https://github.com/junkurihara/httpsig-rs/pull/14 https://github.com/junkurihara/httpsig-rs/pull/15 https://github.com/junkurihara/httpsig-rs/security/advisories/GHSA-7v42-g35v-xrch
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}`

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26275", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-12T17:10:53.413Z", "datePublished": "2026-02-19T21:25:37.335Z", "dateUpdated": "2026-02-19T21:25:37.335Z"}, "containers": {"cna": {"title": "httpsig-hyper has Improper Digest Verification that May Allow Message Integrity Bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-354", "lang": "en", "description": "CWE-354: Improper Validation of Integrity Check Value", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-697", "lang": "en", "description": "CWE-697: Incorrect Comparison", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/junkurihara/httpsig-rs/security/advisories/GHSA-7v42-g35v-xrch", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/junkurihara/httpsig-rs/security/advisories/GHSA-7v42-g35v-xrch"}, {"name": "https://github.com/junkurihara/httpsig-rs/pull/14", "tags": ["x_refsource_MISC"], "url": "https://github.com/junkurihara/httpsig-rs/pull/14"}, {"name": "https://github.com/junkurihara/httpsig-rs/pull/15", "tags": ["x_refsource_MISC"], "url": "https://github.com/junkurihara/httpsig-rs/pull/15"}, {"name": "https://github.com/junkurihara/httpsig-rs/commit/5533f596c650377e02f4aa9e3eb8dba591b87370", "tags": ["x_refsource_MISC"], "url": "https://github.com/junkurihara/httpsig-rs/commit/5533f596c650377e02f4aa9e3eb8dba591b87370"}, {"name": "https://github.com/junkurihara/httpsig-rs/commit/65cbd19b395180a4bba09a89746c4b14ccb8d297", "tags": ["x_refsource_MISC"], "url": "https://github.com/junkurihara/httpsig-rs/commit/65cbd19b395180a4bba09a89746c4b14ccb8d297"}], "affected": [{"vendor": "junkurihara", "product": "httpsig-rs", "versions": [{"version": "< 0.0.23", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T21:25:37.335Z"}, "descriptions": [{"lang": "en", "value": "httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's `matches!` macro. Specifically, the comparison `if matches!(digest, _expected_digest)` treated `_expected_digest` as a pattern binding rather than a value comparison, resulting in unconditional success of the match expression. As a consequence, digest verification could incorrectly return success even when the computed digest did not match the expected value. Applications relying on Digest verification as part of HTTP message signature validation may therefore fail to detect message body modification. The severity depends on how the library is integrated and whether additional signature validation layers are enforced. This issue has been fixed in `httpsig-hyper` 0.0.23. The fix replaces the incorrect `matches!` usage with proper value comparison and additionally introduces constant-time comparison for digest verification as defense-in-depth. Regression tests have also been added to prevent reintroduction of this issue. Users are strongly advised to upgrade to the patched version. There is no reliable workaround without upgrading. Users who cannot immediately upgrade should avoid relying solely on Digest verification for message integrity and ensure that full HTTP message signature verification is enforced at the application layer."}], "source": {"advisory": "GHSA-7v42-g35v-xrch", "discovery": "UNKNOWN"}}}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to misuse of Rust's `matches!` macro. Specifically, the comparison `if matches!(digest, _expected_digest)` treated `_expected_digest` as a pattern binding rather than a value comparison, resulting in unconditional success of the match expression. As a consequence, digest verification could incorrectly return success even when the computed digest did not match the expected value. Applications relying on Digest verification as part of HTTP message signature validation may therefore fail to detect message body modification. The severity depends on how the library is integrated and whether additional signature validation layers are enforced. This issue has been fixed in `httpsig-hyper` 0.0.23. The fix replaces the incorrect `matches!` usage with proper value comparison and additionally introduces constant-time comparison for digest verification as defense-in-depth. Regression tests have also been added to prevent reintroduction of this issue. Users are strongly advised to upgrade to the patched version. There is no reliable workaround without upgrading. Users who cannot immediately upgrade should avoid relying solely on Digest verification for message integrity and ensure that full HTTP message signature verification is enforced at the application layer."}], "id": "CVE-2026-26275", "lastModified": "2026-02-19T22:16:46.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-19T22:16:46.493", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/junkurihara/httpsig-rs/commit/5533f596c650377e02f4aa9e3eb8dba591b87370"}, {"source": "security-advisories@github.com", "url": "https://github.com/junkurihara/httpsig-rs/commit/65cbd19b395180a4bba09a89746c4b14ccb8d297"}, {"source": "security-advisories@github.com", "url": "https://github.com/junkurihara/httpsig-rs/pull/14"}, {"source": "security-advisories@github.com", "url": "https://github.com/junkurihara/httpsig-rs/pull/15"}, {"source": "security-advisories@github.com", "url": "https://github.com/junkurihara/httpsig-rs/security/advisories/GHSA-7v42-g35v-xrch"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-354"}, {"lang": "en", "value": "CWE-697"}], "source": "security-advisories@github.com", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object