CVE-2026-49835
Received Received - Intake

Sigstore Timestamp Authority Prometheus Label Memory Exhaustion

Vulnerability report for CVE-2026-49835, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an unauthenticated remote attacker to issue requests with random paths such as /api/v1/timestamp/<uuid> or random HTTP methods and create unbounded permanent time-series entries that exhaust memory. This issue is fixed in version 2.1.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sigstore timestamp_authority to 2.1.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Sigstore Timestamp Authority allows unauthenticated remote attackers to cause server-side memory exhaustion by sending requests with random paths or HTTP methods. The issue occurs because the global wrapMetrics middleware records raw request paths and methods as Prometheus labels for metrics, creating unbounded time-series entries that exhaust memory.

Detection Guidance

Monitor Prometheus metrics for unbounded label cardinality growth, particularly for HTTP request paths and methods. Check for excessive unique time-series entries in metrics like http_request_duration_seconds or http_requests_total. Use commands like 'curl -s http://<timestamp-authority-address>:<port>/metrics | grep -E "http_request_duration_seconds|http_requests_total"' to inspect metric values.

Impact Analysis

An attacker could exploit this to cause an out-of-memory (OOM) condition on the timestamp authority server, leading to denial-of-service. This impacts availability of the service, potentially disrupting timestamping operations for dependent systems.

Compliance Impact

This vulnerability primarily impacts system availability by enabling denial-of-service through memory exhaustion, which could disrupt services handling sensitive data. While not directly violating GDPR or HIPAA, prolonged downtime might affect compliance with availability requirements in these regulations. The root cause (unbounded metric labels) does not directly relate to data protection controls mandated by GDPR or HIPAA.

Mitigation Strategies

Upgrade to timestamp-authority version 2.1.0 or later. If upgrading is not immediately possible, implement rate-limiting or block invalid requests at a reverse proxy level. Restrict Prometheus metric label cardinality by normalizing paths and methods to predefined allowlists.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49835. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart