CVE-2026-31830
Received Received - Intake
Verification Bypass in sigstore-ruby Prior to

Publication date: 2026-03-10

Last updated on: 2026-03-20

Assigner: GitHub, Inc.

Description
sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifier#verify does not propagate the VerificationFailure returned by verify_in_toto when the artifact digest does not match the digest in the in-toto attestation subject. As a result, verification of DSSE bundles containing in-toto statements returns VerificationSuccess regardless of whether the artifact matches the attested subject. This vulnerability is fixed in 0.2.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-20
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31830
EUVD
EUVD-2026-10932
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sigstore sigstore to 0.2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-252 The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the sigstore-ruby library prior to version 0.2.3. Specifically, the method Sigstore::Verifier#verify does not properly propagate a VerificationFailure error when the artifact digest does not match the digest in the in-toto attestation subject. This means that even if the artifact does not match the attested subject, the verification process incorrectly returns a VerificationSuccess.

Impact Analysis

This vulnerability can lead to false verification success results when verifying DSSE bundles containing in-toto statements. As a result, an attacker could potentially present an artifact that does not match the attested subject, but it would still be accepted as valid. This undermines the integrity verification process and could allow unauthorized or tampered artifacts to be trusted.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade sigstore-ruby to version 0.2.3 or later, where the issue with verification propagation is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31830. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart