An error in the SignServer container startup logic was found in Keyfactor SignServer versions prior to 7.2. The Admin CLI command used to configure Certificate access to the initial startup of the container sets a property of "allowany" to allow any user with a valid and trusted client auth certificate to connect. Admins can then set more restricted access to specific certificates. A logic error caused this admin CLI command to be run on each restart of the container instead of only the first startup as intended resetting the configuration to "allowany".
References
Configurations
History
05 Jan 2026, 17:48
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://docs.keyfactor.com/signserver/latest/signserver-7-2-release-notes - Release Notes | |
| References | () https://support.keyfactor.com/hc/en-us/articles/33997706776987-SignServer-security-advisory-Container-vulnerability-CVE-2025-26787-fixed-in-version-7-2 - Vendor Advisory | |
| CPE | cpe:2.3:a:keyfactor:signserver:*:*:*:*:*:*:*:* | |
| First Time |
Keyfactor signserver
Keyfactor |
22 Dec 2025, 19:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-12-22 19:15
Updated : 2026-01-05 17:48
NVD link : CVE-2025-26787
Mitre link : CVE-2025-26787
CVE.ORG link : CVE-2025-26787
JSON object : View
Products Affected
keyfactor
- signserver
CWE
CWE-642
External Control of Critical State Data