BIT-cosign-2026-39395

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/cosign/BIT-cosign-2026-39395.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-cosign-2026-39395

Aliases

CVE-2026-39395
GHSA-w6c6-c85g-mmv6

Published

2026-04-09T08:37:13.235Z

Modified

2026-04-09T10:10:56.508139279Z

Summary

Cosign's verify-blob-attestation reports false positive when payload parsing fails

Details

Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.

Database specific

{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:sigstore:cosign:*:*:*:*:*:go:*:*"
    ]
}

References

Affected packages

Bitnami / cosign

Package

Name: cosign
Purl: pkg:bitnami/cosign

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.6.3

Introduced

3.0.0

Fixed

3.0.6

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/cosign/BIT-cosign-2026-39395.json"