File Overwrite Vulnerability in Sigstore Framework - Go Library by Sigstore
CVE-2026-24137

5.8MEDIUM

Key Information:

Vendor

Sigstore

Status
Sigstore
Vendor
CVE Published:
23 January 2026

What is CVE-2026-24137?

The Sigstore Framework, a widely used Go library, is susceptible to a file overwrite vulnerability due to improper path validation in its legacy TUF client. This issue allows a malicious repository to exploit the caching mechanism, leading to arbitrary file overwriting within the constraints of the process's permissions. Affected environments include users directly utilizing the TUF client in sigstore/sigstore or older versions of Cosign. Users of public Sigstore deployments remain secure, as TUF metadata is validated through trusted collaborations. Mitigation methods involve updating to version 1.10.4 or disabling disk caching for the legacy client by setting SIGSTORE_NO_CACHE=true.

Affected Version(s)

sigstore < 1.10.4

References

https://github.com/sigstore/sigstore/security/advisories/...
x_refsource_CONFIRM
https://github.com/sigstore/sigstore/commit/8ec410a2993ea...
x_refsource_MISC
https://github.com/sigstore/sigstore/releases/tag/v1.10.4
x_refsource_MISC

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.