Unauthenticated Remote Access Vulnerability in Sigstore Timestamp Authority Service
CVE-2026-49835

5.9MEDIUM

Key Information:

Vendor

Sigstore

Vendor
CVE Published:
17 July 2026

What is CVE-2026-49835?

The Sigstore Timestamp Authority service before version 2.1.0 had a significant vulnerability where the global wrapMetrics middleware incorrectly handled raw HTTP request paths and methods. This flaw allowed unauthorized remote attackers to make requests with arbitrary paths (e.g., /api/v1/timestamp/) and HTTP methods, leading to uncontrolled, unbounded time-series entries. Consequently, this could exhaust server memory, impacting service performance and availability. The issue was rectified in version 2.1.0, which emphasized the need for strict input validation and secure request handling.

Affected Version(s)

timestamp-authority < 2.1.0

References

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.