Upgrade your account to access Premium section
Access to DarkForums Private Archive Telegram Channel
Join the new Telegram channel to stay updated on the latest news

Exposed PKI Directory of the Spanish National Police
by GordonFreeman - 03-02-26, 11:20 AM
V.I.P Offline
VIP

Posts 26
Threads 14
Joined Jan 2026
Reputation 5
3 Weeks
#1
03-02-26, 11:20 AM
[img][Image: 21796-policia-nacional-espana-400px.jpg][/img]
Exposure in Spanish National Police PKI (Spain)
Route: https://pki.policia.es
[img][Image: Captura-de-pantalla-2026-02-02-224059.png][/img]
Issue Identified: Directory listing is enabled at the root level with no authentication required. Exposed folders include:
  • _arls/
  • _cl@ve/
  • _cnp/
  • _csca/
  • _cvca/
  • _dnie/
Content Exposed:
These directories contain Certificate Revocation Lists (CRLs), Authority Revocation Lists (ARLs), root and intermediate certificates, and certification policies related to:
  • Electronic DNI (DNIe)
  • Cl@ve digital identity system
  • Biometric passports
Potential Real-World Impact (Brief):
  • Detailed reconnaissance of the PKI trust chain (enables targeted OSINT attacks).
  • Download of current revocation lists → analysis of revoked certificates (potential for targeted exploitation).
  • Facilitates chaining attacks if additional vulnerabilities (e.g., IDOR or path traversal) are present.
Reply
DarkForums Members Offline
Members

Posts 8
Threads 0
Joined Jan 2026
Reputation 0
1 Months
#2
03-02-26, 07:03 PM
https://breachforums.bf/Thread-National-Police-Spain

same?
Reply
DarkForums Members Offline
Members

Posts 211
Threads 0
Joined Oct 2025
Reputation 0
4 Months
#3
04-02-26, 07:14 AM
download link?
Reply
DarkForums Members Offline
Members

Posts 26
Threads 0
Joined Feb 2026
Reputation 1
2 Weeks
#4
18-02-26, 07:44 PM
Let’s be perfectly clear: pki.policia.es is the official public key infrastructure (PKI) of the Spanish National Police. It is designed to be public, because its purpose is to allow anyone—citizens, organizations, software systems—to verify digital signatures and authenticate official documents.

Claiming that this constitutes a “data leak” shows a fundamental misunderstanding of what PKI is and how it works. A PKI is literally meant to distribute public certificates. By definition, these certificates are not secret. The private keys remain secure; the public keys are for everyone to see.

Accessing this directory does not expose sensitive information, passwords, or internal systems. It is exactly how PKI is intended to operate. Anyone implying otherwise is not just mistaken—they are demonstrating ignorance about even the basic principles of cryptography and network security.

So, before you start claiming “exposures” or “leaks,” take a moment to understand what a PKI actually does. Public certificates are public. This is not news, this is not a breach, this is not dangerous. It is normal, intentional, and essential for secure digital communication.

If your reaction is “OMG, exposed!” then you clearly don’t have the slightest idea what you’re looking at. Learn the basics of PKI before making claims that make you look foolish.
Reply


Forum Jump:


 Users browsing this thread: osinter, 1 Guest(s)