Unauthenticated Remote Access Vulnerability in Sigstore Timestamp Authority Service
CVE-2026-49835
5.9MEDIUM
What is CVE-2026-49835?
The Sigstore Timestamp Authority service before version 2.1.0 had a significant vulnerability where the global wrapMetrics middleware incorrectly handled raw HTTP request paths and methods. This flaw allowed unauthorized remote attackers to make requests with arbitrary paths (e.g., /api/v1/timestamp/) and HTTP methods, leading to uncontrolled, unbounded time-series entries. Consequently, this could exhaust server memory, impacting service performance and availability. The issue was rectified in version 2.1.0, which emphasized the need for strict input validation and secure request handling.
Affected Version(s)
timestamp-authority < 2.1.0
