CVE-2026-59891
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-59891, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: GitHub, Inc.

Description

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 0.7.1, getRegistryCredentials() reads credentials from the Docker config file and selects an entry by checking whether any configured auth key contains the target registry string. Because this is a substring match rather than an exact host match, credentials configured for one registry can be selected for and transmitted to a different registry whose hostname has a substring relationship with a configured auth key. This issue is fixed in version 0.7.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sigstore sigstore-js to 0.7.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

sigstore-js is a JavaScript library used to interact with Sigstore services, which are designed to improve software supply chain security by providing tools for signing and verifying software artifacts.

The vulnerability in versions prior to 0.7.1 involves the getRegistryCredentials() function, which reads credentials from the Docker config file. The function selects credentials by checking if any configured auth key contains the target registry string as a substring, rather than performing an exact host match.

This means that if a user has credentials configured for one registry (e.g., 'registry.example.com'), those credentials could be mistakenly selected and transmitted to a different registry (e.g., 'malicious-registry.example.com') if the hostname of the second registry contains the first as a substring.

This flaw was fixed in version 0.7.1 of sigstore-js.

Impact Analysis

If you are using a vulnerable version of sigstore-js (prior to 0.7.1), this vulnerability could have several impacts:

  • Unauthorized access to private registries: An attacker could trick the system into sending credentials intended for one registry to a malicious registry, potentially exposing sensitive authentication tokens or passwords.
  • Data exfiltration: If the credentials are used to access private repositories or artifacts, an attacker could gain access to proprietary or confidential software components.
  • Supply chain attacks: Attackers could manipulate the software supply chain by injecting malicious artifacts or tampering with legitimate ones, as they may gain unauthorized access to trusted registries.
  • Reputation damage: If credentials are leaked or misused, it could lead to breaches of trust with customers, partners, or regulatory bodies.

The CVSS score of 9.6 (Critical) indicates this is a high-severity issue, meaning it could have a significant impact if exploited.

Compliance Impact

This vulnerability could impact compliance with several standards and regulations, depending on the context in which sigstore-js is used:

  • GDPR (General Data Protection Regulation): If the exposed credentials are used to access or process personal data of EU citizens, this vulnerability could lead to unauthorized access or disclosure of such data. GDPR requires organizations to implement appropriate technical measures to protect personal data, and a failure to do so could result in fines or legal action.
  • HIPAA (Health Insurance Portability and Accountability Act): If the credentials are used to access systems containing protected health information (PHI), this vulnerability could lead to unauthorized access to PHI. HIPAA requires strict controls over access to PHI, and a breach could result in penalties.
  • ISO 27001: This standard requires organizations to manage information security risks, including those related to access control and credential management. A vulnerability like this could indicate a failure to meet ISO 27001 requirements for secure credential handling.
  • NIST SP 800-53: This framework includes controls for access control and authentication, which this vulnerability directly impacts. Failure to address such vulnerabilities could result in non-compliance with NIST guidelines.
  • SOC 2: If your organization undergoes SOC 2 audits, this vulnerability could be seen as a failure to meet the security and confidentiality criteria, as it involves improper handling of credentials and potential unauthorized access.

To maintain compliance, organizations should update to the fixed version of sigstore-js (0.7.1 or later) and review their systems for any potential unauthorized access or data exposure that may have occurred due to this vulnerability.

Detection Guidance

Detecting this vulnerability requires checking if your system is using a vulnerable version of the sigstore-js library (prior to 0.7.1) and verifying how Docker registry credentials are being selected.

  • Check the installed version of the @sigstore/oci package. If it is below 0.7.1, the system is vulnerable.
  • Review the Docker config file (typically located at ~/.docker/config.json) for configured auth keys. Look for cases where a registry hostname might be a substring of another configured auth key (e.g., 'ghcr.io' and 'cr.io').
  • Inspect network traffic or logs for unexpected credential transmissions to registries. This may reveal if credentials are being sent to unintended registries due to substring matching.

Example command to check the installed version of @sigstore/oci:

  • npm list @sigstore/oci

Example command to inspect the Docker config file for auth keys:

  • cat ~/.docker/config.json | grep -A 5 -B 5 "auths"
Mitigation Strategies

To mitigate this vulnerability, follow these steps:

  • Upgrade the @sigstore/oci package to version 0.7.1 or later. This version implements exact host matching for Docker registry credentials, preventing the substring matching issue.
  • If upgrading is not immediately possible, manually review and restrict the Docker config file (e.g., ~/.docker/config.json) to ensure no auth keys contain substrings of other registry hostnames. Remove or consolidate overlapping auth keys.
  • Monitor network traffic for unexpected credential transmissions to registries, especially those with hostnames that are substrings of configured auth keys.
  • Rotate any credentials that may have been exposed to unintended registries as a precaution.

Example command to upgrade the @sigstore/oci package:

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59891. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart