Vulnerability in Cosign Affects Container Code Signing and Transparency
CVE-2026-22703

5.5MEDIUM

Key Information:

Vendor

Sigstore

Status
Cosign
Vendor
CVE Published:
10 January 2026

What is CVE-2026-22703?

Cosign, a tool for code signing and ensuring transparency for containers and binaries, has a security vulnerability that allows a crafted bundle to successfully verify an artifact even if the associated Rekor entry does not reference the artifact's digest, signature, or public key. This flaw arises because the verification process fails to properly compare relevant entries, leading to potential acceptance of any Rekor response as valid. If an attacker compromises a user’s identity or signing key, they could create a fraudulent Cosign bundle by including an arbitrary Rekor entry. This undermines the ability of users to audit signing events effectively. To mitigate this issue, users are advised to upgrade to Cosign versions 2.6.2 or 3.0.4, where the issue has been resolved.

Affected Version(s)

cosign < 3.0.4 < 3.0.4

cosign < 2.6.2 < 2.6.2

References

https://github.com/sigstore/cosign/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/sigstore/cosign/pull/4623
x_refsource_MISC
https://github.com/sigstore/cosign/commit/6832fba4928c1ad...
x_refsource_MISC

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.