How is CVE-2026-8931 exploited?

Network reachability (required): The attacker must reach the vulnerable service over the network; no local or physical access is required. Authentication (not-required): No account or credentials of any privilege level are needed to initiate the attack. Victim interaction (required): A user must interact with attacker-controlled content (for example, opening a crafted document or visiting a malicious page) to trigger the vulnerability. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.

What is the impact of CVE-2026-8931?

Reads any files or secrets accessible to the Web Signer process, including private keys used for document signing. Writes or modifies files and data on the host, enabling persistence, credential theft, or tampering with signed documents. Crashes or fully disrupts the Web Signer service, blocking signing operations for any dependent workflows. Because both system (SC/SI/SA) scores are High, a successful attacker can pivot to connected systems or services that trust the compromised host, extending the impact beyond the Web Signer process itself.

Back to search

CRITICALCVE-2026-8931Published 2026-06-01Modified 2026-06-01CNA SK-CERT

CVE-2026-8931: Critical RCE vulnerability in Disig Web Signer

A critical Remote Code Execution (RCE) vulnerability exists in Disig Web Signer versions 2.0.3 through 2.5.3.

CVSS v4.0: 9.4
Severity: CRITICAL
Fixed in: 2.5.5
Affected Products: 1

HarborGuard Analysis

Synopsis

A remote code execution vulnerability exists in Disig Web Signer versions 2.0.3 through 2.5.3. The vulnerability is reachable over the network, requires no authentication, and is triggered when a user interacts with attacker-controlled content, based on the CVSS v4.0 vector. Successful exploitation gives the attacker full code execution on the host, with high-impact compromise across confidentiality, integrity, and availability for both the vulnerable component and any systems it can reach. A patched-image rebuild at version 2.5.5 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-8931 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream publication. Coverage extends to custom-built images that bundle Disig Web Signer, not only images pulled from public registries.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 severity of 9.4 (Critical) and weighting that score against each environment's compliance policy to determine urgency. Triage routing is available to direct findings to the appropriate team inbox within each customer organization.

Available

Patch

A patched-image rebuild at Disig Web Signer version 2.5.5 is available on HarborGuard for any environment where an affected version is detected. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the vulnerable service over the network; no local or physical access is required.
AuthenticationNot required
No account or credentials of any privilege level are needed to initiate the attack.
Victim interactionRequired
A user must interact with attacker-controlled content (for example, opening a crafted document or visiting a malicious page) to trigger the vulnerability.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.

Blast Radius

Reads any files or secrets accessible to the Web Signer process, including private keys used for document signing.
Writes or modifies files and data on the host, enabling persistence, credential theft, or tampering with signed documents.
Crashes or fully disrupts the Web Signer service, blocking signing operations for any dependent workflows.
Because both system (SC/SI/SA) scores are High, a successful attacker can pivot to connected systems or services that trust the compromised host, extending the impact beyond the Web Signer process itself.

How HarborGuard Handles This

Available on HarborGuard: detection of this Critical-severity CVE is matched against all customer images within minutes of publication, including internally built images. Where an affected version of Disig Web Signer (2.0.3 through 2.5.3) is identified, a rebuilt image at version 2.5.5 becomes available. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs regression tests, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is routed to the designated team inbox with the full CVSS v4.0 context and a direct reference to the fix version so engineers can act manually. Given the network-exposed, no-auth attack surface and the breadth of system-level impact, treating this as a priority remediation is appropriate for any environment running an affected version.

See how HarborGuard automates this

Fix available

2.5.5

Affected packages

Disig / Web Signer
≤ 2.5.3
Fixed in 2.5.5

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available