Improper Certificate Validation in Cosign - CVE-2026-24122
Published: April 25, 2026
Vulnerability identifier: #VU127932
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-24122
CWE-ID: CWE-295
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Sigstore
Affected software:
Cosign
Cosign
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass signature verification integrity checks.
The vulnerability exists due to improper certificate validation in certificate chain verification when verifying artifact signatures using certificates with signed timestamps. A remote attacker can present a certificate chain in which an issuing certificate expires before the leaf certificate to bypass signature verification integrity checks.
This affects private deployments with customized PKIs and is unlikely to occur in practice because certification authorities should not issue certificates that outlive the validity of their issuing certificates.
How to mitigate CVE-2026-24122
Install security update from vendor's website.