The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33487

CVE-2026-33487: goxmlsig XXE Vulnerability

CVE-2026-33487 is an XXE flaw in goxmlsig that affects XML Digital Signatures validation due to a loop variable capture issue in Go. This article covers technical details, affected versions, impact, and mitigation.

Published: March 27, 2026

CVE-2026-33487 Overview

CVE-2026-33487 is a Improper Verification of Cryptographic Signature vulnerability affecting goxmldsig, a Go library that provides XML Digital Signatures implementation. The vulnerability exists in the validateSignature function within validate.go, where a loop variable capture issue can cause signature validation to reference incorrect elements in the SignedInfo.References slice.

This flaw specifically affects Go versions prior to 1.22, or when the project's go.mod specifies an older Go version. Due to the loop variable capture behavior in older Go versions, the code takes the address of the loop variable _ref instead of its value, causing the ref pointer to always point to the last element in the SignedInfo.References slice after the loop completes.

Critical Impact

Attackers could potentially bypass XML digital signature validation, leading to signature forgery or acceptance of improperly signed XML documents with high integrity impact.

Affected Products

  • goxmldsig versions prior to 1.6.0
  • Applications using Go versions prior to 1.22 with affected goxmldsig versions
  • Projects with go.mod specifying older Go versions even when compiled with Go 1.22+

Discovery Timeline

  • 2026-03-26 - CVE CVE-2026-33487 published to NVD
  • 2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-33487

Vulnerability Analysis

This vulnerability is classified under CWE-347 (Improper Verification of Cryptographic Signature). The root issue lies in how Go handles loop variable scoping in versions prior to 1.22. When the validateSignature function iterates through references in the SignedInfo block to find a match for the signed element's ID, it captures the address of the loop variable rather than its value.

In practical terms, this means that if multiple references match the ID or if specific loop logic conditions occur, the reference pointer will incorrectly point to the last element in the SignedInfo.References slice regardless of which reference actually matched. This behavior can lead to signature validation operating on the wrong reference element, potentially allowing signature bypass attacks.

The vulnerability has network-based attack vectors requiring no privileges or user interaction, making it exploitable remotely against applications processing XML digital signatures.

Root Cause

The root cause is the Go loop variable capture behavior in versions prior to 1.22. In older Go versions, when a loop variable's address is taken (using & operator), all iterations share the same memory address for that variable. After the loop completes, this address contains only the value from the final iteration. The vulnerable code pattern in validateSignature takes &_ref during iteration, causing the captured reference to always be the last one in the slice, regardless of which reference actually matched the signed element's ID.

Attack Vector

The vulnerability can be exploited through the network by submitting specially crafted XML documents with digital signatures to applications using vulnerable versions of goxmldsig. An attacker could construct XML documents where the signature validation logic references an incorrect element due to the loop variable capture issue. This could enable:

  1. Signature Bypass: Crafting documents where the signature appears valid but covers different content than intended
  2. Reference Manipulation: Exploiting scenarios with multiple matching references to cause validation against unintended data
  3. Integrity Compromise: Modifying signed content while maintaining apparent signature validity

The vulnerability manifests in the signature validation function when processing the SignedInfo.References slice. For detailed technical analysis and proof-of-concept patterns, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-33487

Indicators of Compromise

  • Unexpected XML signature validation successes in application logs
  • Discrepancies between signed content and validated references in audit trails
  • Applications accepting XML documents with signatures that should have failed validation

Detection Strategies

  • Review application dependencies for goxmldsig versions prior to 1.6.0
  • Audit go.mod files to identify projects specifying Go versions older than 1.22
  • Implement logging around XML signature validation to detect anomalous acceptance patterns
  • Use software composition analysis (SCA) tools to identify vulnerable library versions

Monitoring Recommendations

  • Enable verbose logging for XML signature validation operations
  • Monitor for unusual patterns in signature verification, particularly documents with multiple references
  • Implement integrity checks comparing expected vs. actual validated content
  • Set up alerts for signature validation on documents with complex SignedInfo.References structures

How to Mitigate CVE-2026-33487

Immediate Actions Required

  • Upgrade goxmldsig to version 1.6.0 or later immediately
  • Update go.mod to specify Go version 1.22 or later
  • Recompile applications using Go 1.22+ to benefit from the corrected loop variable scoping
  • Audit any XML documents processed during the vulnerable period for integrity

Patch Information

The vulnerability has been addressed in goxmldsig version 1.6.0. The patch corrects the loop variable capture issue by ensuring proper value capture instead of address capture during reference iteration. Organizations should upgrade to version 1.6.0 or later as documented in the GitHub Security Advisory.

Workarounds

  • Upgrade to Go 1.22 or later and rebuild applications, as the new Go runtime fixes loop variable scoping behavior at the language level
  • Update go.mod to require Go 1.22 minimum version before rebuilding
  • If immediate upgrade is not possible, implement additional validation layers for XML signatures outside of goxmldsig
  • Consider restricting XML documents to single-reference signatures until patched
bash
# Configuration example
# Upgrade goxmldsig to patched version
go get github.com/russellhaering/goxmldsig@v1.6.0

# Update go.mod to require Go 1.22+
go mod edit -go=1.22

# Rebuild application with updated dependencies
go build -o myapp ./...

# Verify the dependency version
go list -m github.com/russellhaering/goxmldsig

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeXXE
  • Vendor/TechGoxmlsig
  • SeverityHIGH
  • CVSS Score7.5
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-347
  • Technical References
  • GitHub Security Advisory
  • Latest CVEs
  • CVE-2025-70797: LimeSurvey XSS Vulnerability
  • CVE-2025-30650: Juniper Junos OS Auth Bypass Vulnerability
  • CVE-2026-35471: Goshs Path Traversal Vulnerability
  • CVE-2026-35393: Goshs Path Traversal Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English