Vulnerability in Cosign Code Signing Tool by Sigstore
CVE-2026-24122

3.7LOW

Key Information:

Vendor

Sigstore

Status
Cosign
Vendor
CVE Published:
19 February 2026

What is CVE-2026-24122?

In the affected versions of Cosign, when issuing certificates have an expiry date before the leaf certificate, they are incorrectly treated as valid during the verification process. This misconfiguration allows an expired issuing certificate to authenticate signatures, leading to potential security risks in environments with custom PKIs. While users of the public Sigstore infrastructure remain unaffected, it is essential for users with private deployments to upgrade to version 3.0.5 to mitigate this issue.

Affected Version(s)

cosign < 3.0.5

References

https://github.com/sigstore/cosign/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/sigstore/cosign/commit/3c9a7363f563db7...
x_refsource_MISC
https://github.com/sigstore/cosign/releases/tag/v3.0.5
x_refsource_MISC

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.