CVE-2026-49834 in sigstoreinfo

Summary

by MITRE • 07/17/2026

sigstore-go is a Go library for Sigstore signing and verification. Prior to 1.2.0, a verifier configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1) counts verified witnesses per entry or per validation path rather than per log authority, allowing a single compromised transparency log or CT log to satisfy multi-log threshold requirements and defeat the multi-log policy. This issue is fixed in version 1.2.0.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

The sigstore-go library presents a critical vulnerability in its verification mechanisms that undermines the security assurances provided by multi-log validation policies. This flaw exists in versions prior to 1.2.0 where the library's verifier implementation incorrectly processes witness counting for transparency logs and certificate transparency logs. When configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1) parameters, the system fails to properly distinguish between individual log authorities during validation, creating a fundamental weakness in the intended security model.

The technical nature of this vulnerability stems from improper aggregation logic within the verification process where the library counts verified witnesses on a per-entry or per-validation path basis rather than maintaining separate counts for each distinct log authority. This design flaw allows an attacker who compromises a single transparency log or certificate transparency log to satisfy the multi-log threshold requirements that were specifically implemented to prevent such single points of failure. The vulnerability directly contradicts the fundamental security principle that multiple independent authorities should be required to validate cryptographic proofs, as established in common security frameworks and best practices for distributed trust systems.

The operational impact of this vulnerability extends beyond simple credential validation failures, potentially enabling attackers to bypass the intended security controls that protect against log compromise attacks. In environments where sigstore-go is used for software supply chain security, this weakness could allow malicious actors to compromise a single log authority and still achieve successful verification outcomes, effectively neutralizing the security benefits of multi-log validation policies. This issue particularly affects systems implementing the sigstore ecosystem for code signing and artifact verification where trust distribution across multiple authorities was a primary security objective.

The mitigation for this vulnerability requires immediate upgrade to version 1.2.0 or later where the library properly implements per-log authority counting mechanisms. Organizations should also conduct thorough audits of their existing sigstore-go implementations to identify any configurations that might be vulnerable to this specific flaw, particularly those using multi-log validation parameters. Security teams should review their supply chain security policies and ensure that all systems relying on sigstore-go for verification purposes have been updated to prevent potential exploitation. This fix aligns with established security practices for distributed systems where independent authority validation must be preserved to maintain the integrity of trust models. The vulnerability demonstrates the importance of proper implementation of multi-authority validation mechanisms, a concept frequently referenced in cybersecurity standards and attack pattern classifications such as those found in the mitre ATT&CK framework under software supply chain attack categories.

Responsible

GitHub M

Reservation

06/01/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!