CVE-2026-39395

CVSS Score & Metrics

Base Score

4.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N                                    

Vulnerability Description

Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.

Vulnerability Details

Published Date

April 07, 2026

Last Modified

April 08, 2026

CWE ID

CWE-754

Source

NVD

Vendor

sigstore

Product

cosign

External References

https://github.com/sigstore/cosign/security/advisories/GHSA-w6c6-c85g-mmv6

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment