SSRF Vulnerability in Rekor Software Supply Chain Transparency Log
CVE-2026-24117

5.3MEDIUM

Key Information:

Vendor

Sigstore

Status
Rekor
Vendor
CVE Published:
22 January 2026

What is CVE-2026-24117?

In Rekor versions 1.4.3 and earlier, a Server-Side Request Forgery (SSRF) vulnerability exists in the /api/v1/index/retrieve endpoint. This allows attackers to make arbitrary GET requests to internal services through user-supplied URLs. Although the SSRF does not allow state mutation or data exfiltration since the response is not returned to the caller, it may enable attackers to probe internal networks. This risk is mitigated in version 1.5.0, where users are advised to disable the search endpoint by setting --enable_retrieve_api=false as an immediate workaround.

Affected Version(s)

rekor < 1.5.0

References

https://github.com/sigstore/rekor/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/sigstore/rekor/commit/60ef2bceba192c5b...
x_refsource_MISC
https://github.com/sigstore/rekor/releases/tag/v1.5.0
x_refsource_MISC

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.