CVE-2026-5588: Bouncy Castle Crypto Package For Java: Use of a Broken or Risky Cryptographic Algorithm vulnerability in bcpkix modules

April 15, 2026 (updated April 16, 2026)

: Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules).

PKIX draft CompositeVerifier accepts empty signature sequence as valid.

This issue affects BC-JAVA: from 1.49 before 1.84.

References

github.com/advisories/GHSA-wg6q-6289-32hp
github.com/bcgit/bc-java
github.com/bcgit/bc-java/commit/656bae0dbd9b1521f840521ff786e78749fe3057
github.com/bcgit/bc-java/wiki/CVE%E2%80%902026%E2%80%905588
nvd.nist.gov/vuln/detail/CVE-2026-5588

Code Behaviors & Features

Detect and mitigate CVE-2026-5588 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →