Credential Exposure in JavaScript Library by Sigstore
CVE-2026-59891
9.6CRITICAL
What is CVE-2026-59891?
The sigstore-js library allows for interactions with Sigstore services but contains a vulnerability where the getRegistryCredentials() function can inadvertently select incorrect credentials. This occurs because the function checks for substring matches with the target registry, rather than ensuring an exact match with the configured registry hostname. As a result, credentials intended for one registry can be erroneously transmitted to another registry that has a related substring in its hostname. This vulnerability was addressed in version 0.7.1, which improved credential handling to prevent such mismatches.
Affected Version(s)
sigstore-js < 0.7.1
