Certificate Validation Issue in Sigstore.js JavaScript Library
CVE-2026-48815

7.5HIGH

Key Information:

Vendor

Sigstore

Vendor
CVE Published:
14 July 2026

What is CVE-2026-48815?

The sigstore-js library facilitates interactions with Sigstore services in JavaScript applications. Prior to the release of version 4.1.1, a vulnerability existed where the certificateOIDs option provided in the sigstore.verify() function was accepted by the public API, but ultimately disregarded during the verification process. As a result, necessary certificate extension OIDs that restrict which certificates are permitted to sign artifacts were not verified. This oversight could allow unauthorized certificates to be accepted, potentially exposing applications to security risks. This issue was addressed in version 4.1.1.

Affected Version(s)

sigstore-js < 4.1.1

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.