CVE-2026-24117
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-22

Last updated on: 2026-02-02

Assigner: GitHub, Inc.

Description
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with --enable_retrieve_api=false.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24117
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linuxfoundation rekor to 1.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Server-Side Request Forgery (SSRF) in Rekor versions 1.4.3 and below. It allows attackers to make the server send GET requests to arbitrary internal services by using the /api/v1/index/retrieve endpoint, which retrieves a public key via a user-provided URL. Although the SSRF can only trigger GET requests and does not return the response to the attacker, it enables probing of internal networks through Blind SSRF.

Impact Analysis

The vulnerability allows an attacker to probe internal network services by making the server send GET requests to internal URLs. While it cannot mutate state or exfiltrate data directly, it could be used to map internal network structure or discover internal services, potentially aiding further attacks.

Mitigation Strategies

To mitigate this vulnerability immediately, upgrade Rekor to version 1.5.0 or later. As a workaround, disable the search endpoint by setting the option --enable_retrieve_api=false.

Compliance Impact

The vulnerability allows an attacker to perform Blind SSRF to probe internal networks but does not allow data exfiltration or state mutation. Therefore, it does not directly lead to unauthorized data access or leakage that would impact compliance with standards like GDPR or HIPAA. However, the ability to probe internal services could potentially be used as part of a larger attack chain, so organizations should consider this risk in their overall security posture.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24117. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart