CVE-2026-49834Medium· 5.9▾ Sunlitsigstore-go has a multi-log threshold bypass via single compromised log
▾ Sunlit zone — Low / medium · no exploitation signal
impact 32.5 · likelihood 0 · exploitation 0
Need a working PoC? Pro members can cast a request and our team develops one — it lands right here.
What kind of vulnerability is it? Who is impacted?
A verifier configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1) expected defense-in-depth against the compromise of a single log instance. However, threshold counting counted verified witnesses per-entry or per-validation-path rather than per-log-authority.
As a result, a single compromised transparency log could forge multiple entries with different indices, and a single compromised CT log could verify multiple times (either across multiple certificate chains or via multiple embedded SCTs), fully satisfying the multi-log threshold requirements and defeating the multi-log policy.
Note that this does not affect Cosign, as Cosign sets a threshold of 1.
Has the problem been patched? What versions should users upgrade to?
Upgrade to v1.1.5.
Is there a way for users to fix or remediate the vulnerability without upgrading?
There is no workaround, beyond relying on trusted logs.
github.com/sigstore/sigstore-go <= 1.1.4Upgrade to a patched release:
github.com/sigstore/sigstore-go 1.2.0Connected by shared product, vendor, weakness, or advisory.
CVE-2026-48816Medium· 6.5sigstore-js has Insufficient Verification of Data Authenticity
CVE-2026-3012High· 8.0A flaw was found in Samba’s certificate auto-enrollment Group Policy handling
CVE-2026-49478High· 8.7Fulcio has OIDC Discovery Redirect Following Allows SSRF and JWKS Substitution for Meta-Issuer Paths, with Kubernetes Service-Account Token Leakage
CVE-2026-49835Medium· 5.9Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality
CVE-2026-48702High· 7.5Rekor has an OOM Condition due to Unbounded gzip Decompression in Alpine APK Parsing Logic
CVE-2026-54174High· 8.3melange: Incomplete package integrity verification allows data section substitution