Keyless Signing Tool Vulnerability in Gitsign by Sigstore
CVE-2026-44309

5.3MEDIUM

Key Information:

Vendor: Sigstore
Status: Gitsign
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-44309?

Gitsign, a keyless signing tool for Git commits, faced a significant security issue in versions prior to 0.16.0. The vulnerability arises during the verification process of commit and tag signatures when using the 'gitsign verify' and 'gitsign verify-tag' commands. This process incorrectly handles the encoding of commit/tag objects, leading to potential discrepancies between what various Git implementations interpret. Specifically, when malformed objects with duplicate tree headers are involved, an attacker can craft a signature that appears valid in Gitsign, while it does not correspond to the same content as interpreted by git-core. This disparity undermines signature verification integrity and can mislead users regarding the authenticity of commits. The issue has been rectified in version 0.16.0.

Affected Version(s)

gitsign < 0.16.0

References

https://github.com/sigstore/gitsign/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44309 Data

JSON