Full Report
Unrestricted Upload of File with Dangerous Type vulnerability (CVE-2026-44088) has been found in SzafirHost software.
Analysis Summary
# Vulnerability: SzafirHost Unrestricted Upload / Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2026-44088
- **CVSS Score:** Not specified in source (Typically High/Critical for RCE)
- **CWE:** CWE-434: Unrestricted Upload of File with Dangerous Type
## Affected Systems
- **Products:** SzafirHost (by Krajowa Izba Rozliczeniowa)
- **Versions:** All versions prior to 1.2.1
- **Configurations:** Systems processing and verifying downloaded JAR files for execution.
## Vulnerability Description
The vulnerability stems from an inconsistency in how Java handles JAR files during verification versus execution. SzafirHost utilizes the `JarInputStream` class to verify the digital signature of a downloaded JAR; this class reads the file sequentially from the beginning. However, when loading classes for execution, the software uses `JarFile` / `URLClassLoader`, which identifies file contents by reading the Central Directory located at the end of the file.
An attacker can exploit this "discrepancy in file parsing" by concatenating a legitimate, signed JAR file with a malicious ZIP file. The verification process succeeds because it only sees the genuine signature at the start, but the execution process loads the malicious classes defined in the trailing ZIP structure.
## Exploitation
- **Status:** PoC status not explicitly confirmed, but the technical mechanism is described; coordinated disclosure suggests it is likely not yet exploited in the wild.
- **Complexity:** Medium (Requires creating a specifically crafted hybrid JAR/ZIP file).
- **Attack Vector:** Network (Remote Code Execution).
## Impact
- **Confidentiality:** High (Full system access potential)
- **Integrity:** High (Unauthorized code execution)
- **Availability:** High (Potential for system takeover or disruption)
## Remediation
### Patches
- **SzafirHost version 1.2.1:** This version contains a fix for the verification logic and is the recommended minimum version.
### Workarounds
- No specific workarounds were provided. Users are strongly encouraged to update to the patched version.
## Detection
- **Indicators of Compromise:** JAR files that contain multiple "end of central directory" records or files that appear to be a concatenation of a valid JAR and another ZIP archive.
- **Detection methods and tools:** Audit file upload/download logs for unexpected JAR updates. Security scanners should look for inconsistencies between JAR signatures and the actual classes packaged within the ZIP directory.
## References
- **Vendor:** Krajowa Izba Rozliczeniowa
- **Advisory:** hxxps://cert[.]pl/en/posts/2026/05/vulnerability-in-szafirhost-software/
- **CVE Record:** hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-44088
- **CWE-434:** hxxps://cwe[.]mitre[.]org/data/definitions/434[.]html