CVE-2026-49834
Received Received - Intake

Sigstore-go Multi-Log Policy Bypass via Single Compromised Log

Vulnerability report for CVE-2026-49834, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

sigstore-go is a Go library for Sigstore signing and verification. Prior to 1.2.0, a verifier configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1) counts verified witnesses per entry or per validation path rather than per log authority, allowing a single compromised transparency log or CT log to satisfy multi-log threshold requirements and defeat the multi-log policy. This issue is fixed in version 1.2.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
sigstore sigstore-go to 1.2.0 (exc)
sigstore sigstore-go 1.2.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in sigstore-go (versions before 1.2.0) allows a single compromised transparency log or CT log to bypass multi-log threshold security policies. The verifier incorrectly counted verified witnesses per entry rather than per log authority, enabling a malicious log to forge multiple entries or verify multiple times to meet threshold requirements without actual redundancy.

Detection Guidance

This vulnerability affects the sigstore-go library versions prior to 1.2.0. To detect it, check the installed version of sigstore-go in your Go modules or dependencies using commands like 'go list -m sigstore/sigstore-go' or inspecting go.mod files. If the version is less than 1.2.0, the system is vulnerable.

Impact Analysis

An attacker exploiting this could bypass intended multi-log security defenses, potentially allowing forged signatures or certificates to be accepted as valid. This undermines the integrity of the verification process, enabling unauthorized access or data tampering if logs are compromised.

Compliance Impact

This vulnerability could impact compliance by weakening the integrity of digital signatures and verification processes, which are often required for audit trails and data integrity in GDPR and HIPAA. Compromised logs might allow unauthorized changes to be undetected, violating non-repudiation and integrity requirements.

Mitigation Strategies

Upgrade sigstore-go to version 1.2.0 or later to address the multi-log threshold bypass vulnerability. Verify the installed version with 'go list -m sigstore.dev/sigstore-go' and update dependencies accordingly.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49834. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart