CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-9vcr-p3rj-q5q6: sigstore-go has a multi-log threshold bypass via single compromised log

mediumCVSS 5.9CVE-2026-49834
Impact _What kind of vulnerability is it? Who is impacted?_ A verifier configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1) expected defense-in-depth against the compromise of a single log instance. However, threshold counting counted verified witnesses per-entry or per-validation-path rather than per-log-authority. As a result, a single compromised transparency log could forge multiple entries with different indices, and a single compromised CT log could verify multiple times (either across multiple certificate chains or via multiple embedded SCTs), fully satisfying the multi-log threshold requirements and defeating the multi-log policy. Note that this does not affect Cosign, as Cosign sets a threshold of 1. Patches _Has the problem been patched? What versions should users upgrade to?_ Upgrade to v1.1.5. Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ There is no workaround, beyond relying on trusted logs.

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 5.9
Published
2026-07-09
Last updated
2026-07-09
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-9vcr-p3rj-q5q6

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-49834coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories