SignServer security advisory: Container vulnerability CVE-2025-26787 fixed in version 7.2

Issue summary

At startup of the container, the SignServer Admin CLI command bin/signserver wsadmins -allowany is executed. This sets the configuration in the database to allow any administrator with a valid authentication certificate chaining up to a trusted certificate in the application server's truststore to access the AdminWeb in the Administrator role. This is used to access the AdminWeb the first time, even when there are no existing administrator rules defined. The administrator can then go in and set up the rules and possibly change from Allow Any to Allow Only Listed. From then on, only certificates listed in the rules are allowed.

Through testing it was discovered that this command is run on every startup of the container instead of only on the first startup, which causes unexpected behavior where a setting made to Allow Only Listed gets reset and reverts to Allow Any, which accepts any administrator with a valid authentication certificate chaining up to a trusted certificate in the application server's truststore.

This has been fixed to only run when the deployment parameter has been set as part of a deployment of the SignServer Container/Helm Chart.

SignServer deployment parameters can be found at:  https://docs.keyfactor.com/container/latest/signserver/signserver-helm-deployment-parameters.

Documentation on the Administration settings for SignServer can be found at:  https://docs.keyfactor.com/signserver/latest/administrators-page.

Risk assessment

A SignServer Container deployment with an intended configuration to only allow listed certificates on restart/redeployment begins allowing any user with a valid and trusted client authentication certificate to access the AdminWeb in SignServer.

Action

SignServer Container users should update to SignServer 7.2 and, if relying on the Allow Only Listed configuration, ensure that it is properly set.

Severity/CVSS scores

Keyfactor rates the severity as medium with a CVSS v3.0 score of 4.7.

Who is potentially affected?

SignServer Container deployments wanting to use the Allow Only Listed property configured in the AdminWeb Administrators section or via the Admin CLI of SignServer.

Who is not affected?

All other deployment types, including SW, HW, and Cloud.

How to check if you are affected

Impacted users are only those who were using the Allow Only Listed property configured in the AdminWeb Administrators section or via the Admin CLI of SignServer and are running SignServer Container tagged 7.1.1 or earlier.

Because of the nature of this issue, checking in the AdminWeb of SignServer may not help determine the original configuration of the Allow Only Listed property if it has been reset by a container restart/redeployment. After updating to 7.2, confirm that the Allow Only Listed property is set as intended.

The SignServer version is viewable from the top-right corner of the AdminWeb.

Mitigation

Users should update to SignServer 7.2 and, if relying on the Allow Only Listed configuration, ensure that it is properly configured after updating to version 7.2.

Other mitigation options would be only issuing Admin Client authentication certificates from an authority only trusted for that purpose.

Additional information

Should you have any additional questions, please reach out to support@keyfactor.com.