CVE-2026-22703

MEDIUM EPSS 0.2%
Published Jan 10, 20265mo ago · Modified Jun 17, 20262w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Jan 10, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by including any arbitrary Rekor entry, thus preventing the user from being able to audit the signing event. This issue has been patched in versions 2.6.2 and 3.0.4.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
0.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-345

Affected Products 2

VendorProductVersionRange
sigstorecosign* <2.6.2
sigstorecosign*≥3.0.0  –  <3.0.4

References 3

  • github.com https://github.com/sigstore/cosign/commit/6832fba4928c1ad69400235bbc41212de5006176
    Patch
  • github.com https://github.com/sigstore/cosign/pull/4623
    Issue Tracking
  • github.com https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m
    ExploitVendor Advisory

Remediation

  • github.com https://github.com/sigstore/cosign/commit/6832fba4928c1ad69400235bbc41212de5006176
    Patch