Software Supply Chain Vulnerability in Rekor by Sigstore
CVE-2026-23831

5.3MEDIUM

Key Information:

Vendor

Sigstore

Status
Rekor
Vendor
CVE Published:
22 January 2026

What is CVE-2026-23831?

A vulnerability exists in the Rekor software supply chain transparency log, specifically in versions 1.4.3 and earlier. Malicious attackers can exploit this flaw by submitting a crafted input that contains an empty specification message. This leads to a nil pointer dereference in the Canonicalize() function, as the validate() function incorrectly permits an uninitialized state for critical variables. Consequently, this may result in a panic within the Rekor service, causing it to return a generic 500 error message to clients. Despite this error, service continuity is maintained, minimizing disruption. The vulnerability has been addressed in version 1.5.0.

Affected Version(s)

rekor < 1.5.0

References

https://github.com/sigstore/rekor/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/sigstore/rekor/commit/39bae3d192bce48e...
x_refsource_MISC
https://github.com/sigstore/rekor/releases/tag/v1.5.0
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.