Overview
This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.
Vulnerability Details
- CVE ID: CVE-2026-0636, CVE-2026-5588
- Dependency Name: org.bouncycastle:bcprov-jdk18on, org.bouncycastle:bcpkix-jdk18on
- Affected Version of Dependency: 1.74 – 1.82
- Severity Score: 6.3 Medium, 5.5 Medium
(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/S:N/AU:Y/R:A/RE:M/U:Amber)
DPGW version with affect versions of dependencies
- < 1.13.18-REL
- < 1.12.42-REL
- < 1.11.46-REL
Risk Assessment & Applicability
Usage
DPGW utilizes Bouncy Castle as a default crypthographic provider. LDAP functionality of Bouncy Castle library is not used by DPGW.
Analysis
CVE-2026-0636
When applications use Bouncy Castle to retrieve digital certificates or CRLs (Certificate Revocation Lists) from an LDAP directory, the library constructs a search filter. In affected versions, the library fails to properly sanitize or “escape” special characters (like *, (, ), and ) before placing them into the query.
CVE-2026-5588
CompositeVerifier is designed to handle “composite signatures”—a security method that uses multiple different cryptographic algorithms simultaneously to ensure that if one is cracked (e.g., RSA), the other (e.g., ML-DSA) still protects the data.
The flaw is in how the library handles empty data: the CompositeVerifier incorrectly treats an empty signature sequence as a valid signature.
Status
Not affected
Impact on DPGW
The codebase is NOT directly affected by CVE-2026-5588 in its current state, even though it uses a vulnerable version of Bouncy Castle (1.82). Confirmed that vulnerable components like CompositeVerifier, JcaContentVerifierProviderBuilder, and CMP (Certificate Management Protocol) support are not used anywhere in the project.
No impact for CVE-2026-0636 as DPGW does not use any functionality for LDAP from the BouncyCastle library.
Remediation & Mitigations
Scheduled fix
Update to:
– 1.13.19-REL (scheduled to end of April 2026) or newer
– 1.12.43-REL (scheduled to end of April 2026) or newer
User Actions
No user action required