Code Signing Vulnerability in Cosign by Sigstore
CVE-2026-39395

4.3MEDIUM

Key Information:

Vendor: Sigstore
Status: Cosign
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-39395?

Cosign, a tool designed for code signing and transparency for containers and binaries, has a logic flaw in its handling of predicate type validation prior to version 3.0.6 and 2.6.3. This issue could lead to erroneous 'Verified OK' results for attestation payloads that are malformed or contain mismatched predicate types. Specifically, with older format bundles and detached signatures, a flaw in the error handling could produce misleading outcomes, while newer format bundles completely bypassed the predicate type validation process. These vulnerabilities can compromise the integrity of the signing process in container deployments.

Affected Version(s)

cosign >= 3.0.0, < 3.0.6 < 3.0.0, 3.0.6

cosign < 2.6.3 < 2.6.3

References

https://github.com/sigstore/cosign/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39395 Data

JSON