Go Library Vulnerability in Sigstore Signing and Verification Tool
CVE-2026-49834

5.9MEDIUM

Key Information:

Vendor

Sigstore

Vendor
CVE Published:
17 July 2026

What is CVE-2026-49834?

The sigstore-go library, utilized for signing and verification, contains a vulnerability prior to version 1.2.0. This flaw occurs when a verifier is configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1), leading to incorrect verification of entries. In such configurations, the library counts verified witnesses based on individual entries or validation paths rather than per the log authority. This oversight means that a single compromised transparency log can satisfy the required multi-log threshold, undermining the multi-log policy intended to enhance security. Users should update to version 1.2.0 or later to mitigate this issue.

Affected Version(s)

sigstore-go < 1.2.0

References

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.