Platform
python
Component
sigstore
Fixed in
4.2.1
4.2.0
CVE-2026-24408 describes a Cross-Site Request Forgery (CSRF) vulnerability within the OAuth authentication flow of sigstore-python. This flaw allows a malicious actor to potentially trick a user into signing data with an identity controlled by the attacker. The vulnerability affects versions of sigstore-python up to and including 4.1.0, and a fix is available in version 4.2.0.
The impact of this CSRF vulnerability is considered low. An attacker would need to successfully execute a man-in-the-middle attack to exploit it. The attacker could craft a malicious request that, when triggered by a user, would cause sigstore-python to sign data using the attacker's identity instead of the user's. This could lead to unauthorized code signing or other actions performed with the user's credentials. While the technical feasibility exists, the reliance on a MITM attack limits the practical exploitability.
CVE-2026-24408 was publicly disclosed on 2026-01-26. There are currently no known public proof-of-concept exploits available. The vulnerability's CVSS score is 2.5 (LOW), indicating a relatively low probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-24408 is to upgrade to sigstore-python version 4.2.0 or later, which contains the fix. If upgrading is not immediately possible, consider implementing additional security measures. User awareness training is crucial to educate users about the risks of phishing and malicious websites. Restricting OAuth flows to trusted origins can also help mitigate the risk. While not a direct fix, implementing strong authentication practices and regularly reviewing OAuth application permissions can reduce the attack surface.
Update the sigstore-python library to version 4.2.0 or higher. This corrects the CSRF vulnerability in OIDC authentication during signing. You can update using `pip install --upgrade sigstore`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-24408 is a Cross-Site Request Forgery vulnerability in sigstore-python versions up to 4.1.0, allowing an attacker to potentially trick a user into signing data with an attacker-controlled identity.
You are affected if you are using sigstore-python version 4.1.0 or earlier. Upgrade to version 4.2.0 to mitigate the vulnerability.
Upgrade to sigstore-python version 4.2.0 or later. As a temporary workaround, enhance user awareness and restrict OAuth flows to trusted origins.
There are currently no known active exploits or campaigns targeting CVE-2026-24408, but the vulnerability remains present in older versions.
Refer to the official sigstore-python project's security advisories for the most up-to-date information: [https://github.com/sigstore/sigstore-python/security/advisories](https://github.com/sigstore/sigstore-python/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.