Plattform
python
Komponente
sigstore
Behoben in
4.2.1
4.2.0
CVE-2026-24408 describes a Cross-Site Request Forgery (CSRF) vulnerability within the OAuth authentication flow of sigstore-python. This flaw allows a malicious actor to potentially trick a user into unknowingly signing data with an identity controlled by the attacker. The vulnerability affects versions of sigstore-python up to and including 4.1.0, with a fix available in version 4.2.0.
The impact of CVE-2026-24408 is considered low, but still concerning. An attacker exploiting this vulnerability could craft a malicious request that, when triggered by a user, would cause sigstore-python to sign data using the user's credentials, but with the attacker's intended identity. This could lead to unauthorized code signing or other actions performed under the guise of the legitimate user. While the vulnerability requires a man-in-the-middle attack scenario, successful exploitation could compromise the integrity of signed artifacts and potentially undermine trust in the signing process. The attack relies on social engineering to trick the user into interacting with the malicious request.
CVE-2026-24408 was publicly disclosed on January 26, 2026. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. Given the relatively low CVSS score and lack of public exploits, the probability of active exploitation is currently considered low.
Developers and organizations using sigstore-python for code signing and verification are at risk. Specifically, those relying on OAuth authentication for sigstore-python and using versions prior to 4.2.0 are vulnerable. Shared hosting environments where multiple users share the same sigstore-python installation could also be affected.
• python / sigstore: Inspect OAuth authentication flows for unexpected requests or parameters.
# Example: Check for unusual state parameters in OAuth requests
import re
pattern = r'state=[a-zA-Z0-9_-]+'
# Analyze network traffic or application logs for this pattern• python / sigstore: Monitor for unusual code signing activity or unexpected signatures.
# Example: Check for signatures from unknown or suspicious identities
import cryptography
# Analyze code signing certificates and signaturesdisclosure
Exploit-Status
EPSS
0.01% (1% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-24408 is to upgrade to sigstore-python version 4.2.0 or later, which includes the fix for the CSRF vulnerability. If upgrading is not immediately feasible, consider implementing additional security measures. User awareness training is crucial to educate users about the risks of phishing and malicious websites. Implementing a Web Application Firewall (WAF) with rules to filter suspicious OAuth requests, particularly those lacking proper state validation, can provide an additional layer of protection. Regularly review and audit OAuth configurations to ensure best practices are followed.
Aktualisieren Sie die sigstore-python-Bibliothek auf Version 4.2.0 oder höher. Dies behebt die CSRF-Schwachstelle bei der OIDC-Authentifizierung während der Signierung. Sie können mit `pip install --upgrade sigstore` aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-24408 is a Cross-Site Request Forgery vulnerability in sigstore-python versions up to 4.1.0, allowing an attacker to potentially trick a user into signing data with an attacker-controlled identity.
You are affected if you are using sigstore-python version 4.1.0 or earlier. Upgrade to version 4.2.0 to mitigate the vulnerability.
Upgrade to sigstore-python version 4.2.0 or later. As a temporary workaround, enhance user awareness and restrict OAuth flows to trusted origins.
There are currently no known active exploits or campaigns targeting CVE-2026-24408, but the vulnerability remains present in older versions.
Refer to the official sigstore-python project's security advisories for the most up-to-date information: [https://github.com/sigstore/sigstore-python/security/advisories](https://github.com/sigstore/sigstore-python/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.