Cross-Site Request Forgery in Sigstore-Python Auth Flow Vulnerability
CVE-2026-24408

NONE

Key Information:

Vendor

Sigstore

Status
Sigstore-python
Vendor
CVE Published:
26 January 2026

What is CVE-2026-24408?

The sigstore-python tool, utilized for generating and verifying Sigstore signatures, has a vulnerability within its OAuth authentication flow. Prior to version 4.2.0, this flow fails to properly validate the state's value sent back from the server in response. Specifically, the _OAuthSession component generates a unique 'state' parameter for authentication requests but does not verify if the returned 'state' matches the initially generated value. This oversight exposes users to potential Cross-Site Request Forgery attacks, compromising their session integrity. The issue has been addressed in version 4.2.0, which includes the necessary patch.

Affected Version(s)

sigstore-python < 4.2.0

References

https://github.com/sigstore/sigstore-python/security/advi...
x_refsource_CONFIRM
https://github.com/sigstore/sigstore-python/commit/5e7749...
x_refsource_MISC
https://github.com/sigstore/sigstore-python/releases/tag/...
x_refsource_MISC

CVSS V3.1

Score:
Severity:
NONE
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.