Main Vulnerability Database Vulnerabilities #VU127931

Insufficient verification of data authenticity in Cosign - CVE-2026-22703

Published: April 25, 2026

Vulnerability identifier: #VU127931

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-22703

CWE-ID: CWE-345

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Sigstore

Affected software:
Cosign

Detailed vulnerability description

The vulnerability allows a local user to cause acceptance of an invalid signing bundle.

The vulnerability exists due to insufficient verification of data authenticity in Rekor entry verification when verifying a crafted Cosign bundle. A local user can include an arbitrary valid Rekor entry in the bundle to cause acceptance of an invalid signing bundle.

This only affects verification when a trusted root is provided via --trusted-root or fetched automatically from a TUF repository and no trusted key material is provided via SIGSTORE_REKOR_PUBLIC_KEY.

How to mitigate CVE-2026-22703

Install security update from vendor's website.

Sources

https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m

Insufficient verification of data authenticity in Cosign - CVE-2026-22703

Detailed vulnerability description

How to mitigate CVE-2026-22703

Sources

Please verify you're human