CVE-2026-5588 - Medium Severity Vulnerability
Vulnerable Library - bcpkix-jdk18on-1.80.jar
The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.8 and up. The APIs are designed primarily to be used in conjunction with the BC Java provider but may also be used with other providers providing cryptographic services.
Library home page: https://www.bouncycastle.org/download/bouncy-castle-java/
Path to dependency file: /OPENAPI-REST-API/openapi-client/kotlin/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcpkix-jdk18on/1.80/5277dfaaef2e92ce1d802499599a0ca7488f86e6/bcpkix-jdk18on-1.80.jar
Dependency Hierarchy:
- ❌ bcpkix-jdk18on-1.80.jar (Vulnerable Library)
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Vulnerability Details
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules). This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java.
This issue affects BC-JAVA: from 1.67 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11.
Publish Date: 2026-04-15
URL: CVE-2026-5588
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-04-17
Fix Resolution: https://github.com/bcgit/bc-java.git - r1rv84
Step up your Open Source Security Game with Mend here
CVE-2026-5588 - Medium Severity Vulnerability
The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.8 and up. The APIs are designed primarily to be used in conjunction with the BC Java provider but may also be used with other providers providing cryptographic services.
Library home page: https://www.bouncycastle.org/download/bouncy-castle-java/
Path to dependency file: /OPENAPI-REST-API/openapi-client/kotlin/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcpkix-jdk18on/1.80/5277dfaaef2e92ce1d802499599a0ca7488f86e6/bcpkix-jdk18on-1.80.jar
Dependency Hierarchy:
Found in HEAD commit: 1f70e2feccb7006c8d32cc7d4fe62f5cf5e5c34d
Found in base branch: master
Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules), Legion of the Bouncy Castle Inc. BCPKIX-FIPS bcpkix on All (pkix modules). This vulnerability is associated with program files JcaContentVerifierProviderBuilder.Java.
This issue affects BC-JAVA: from 1.67 before 1.84; BCPKIX-FIPS: from 2.0.6 before 2.0.11, from 2.1.7 before 2.1.11.
Publish Date: 2026-04-15
URL: CVE-2026-5588
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-04-17
Fix Resolution: https://github.com/bcgit/bc-java.git - r1rv84
Step up your Open Source Security Game with Mend here