Back to overview

CVE-2026-49834

MEDIUM
5.9
CVSS 3.1
Description
sigstore-go is a Go library for Sigstore signing and verification. Prior to 1.2.0, a verifier configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1) counts verified witnesses per entry or per validation path rather than per log authority, allowing a single compromised transparency log or CT log to satisfy multi-log threshold requirements and defeat the multi-log policy. This issue is fixed in version 1.2.0.

Metadata

CVE ID
CVE-2026-49834
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-01 18:50 UTC
Published
2026-07-17 19:20 UTC
Last updated
2026-07-17 19:42 UTC
Primary CWE
CWE-347
CWE-347: Improper Verification of Cryptographic Signature
Vendor / Product
sigstore / sigstore-go
Sources
cve.org  ·  NVD

Severity & Metrics

5.9 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
sigstore sigstore-go < 1.2.0
Weakness (CWE)
CWESourceDescription
CWE-347 cna CWE-347: Improper Verification of Cryptographic Signature
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.9 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
References (4)
Back to overview