Go Library Vulnerability in Sigstore Signing and Verification Tool
CVE-2026-49834
5.9MEDIUM
What is CVE-2026-49834?
The sigstore-go library, utilized for signing and verification, contains a vulnerability prior to version 1.2.0. This flaw occurs when a verifier is configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1), leading to incorrect verification of entries. In such configurations, the library counts verified witnesses based on individual entries or validation paths rather than per the log authority. This oversight means that a single compromised transparency log can satisfy the required multi-log threshold, undermining the multi-log policy intended to enhance security. Users should update to version 1.2.0 or later to mitigate this issue.
Affected Version(s)
sigstore-go < 1.2.0
