Credential Exposure in JavaScript Library by Sigstore
CVE-2026-59891

9.6CRITICAL

Key Information:

Vendor

Sigstore

Vendor
CVE Published:
14 July 2026

What is CVE-2026-59891?

The sigstore-js library allows for interactions with Sigstore services but contains a vulnerability where the getRegistryCredentials() function can inadvertently select incorrect credentials. This occurs because the function checks for substring matches with the target registry, rather than ensuring an exact match with the configured registry hostname. As a result, credentials intended for one registry can be erroneously transmitted to another registry that has a related substring in its hostname. This vulnerability was addressed in version 0.7.1, which improved credential handling to prevent such mismatches.

Affected Version(s)

sigstore-js < 0.7.1

References

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.