CVE-2026-24137

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2026-24137
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24137.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-24137
Aliases
Downstream
Related
Published
2026-01-23T00:04:19.046Z
Modified
2026-01-24T05:50:28.093081Z
Severity
  • 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N CVSS Calculator
Summary
sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal
Details

sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffected, as TUF metadata is validated by a quorum of trusted collaborators. This issue has been fixed in version 1.10.4. As a workaround, users can disable disk caching for the legacy client by setting SIGSTORENOCACHE=true in the environment, migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf, or upgrade to the latest sigstore/sigstore release.

Database specific 
{
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24137.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/sigstore/sigstore

Affected ranges

Type
GIT
Repo
https://github.com/sigstore/sigstore
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8ec410a2993ea78083aecf0e473a85453039496e

Affected versions

pkg/signature/kms/aws/v1.*

pkg/signature/kms/aws/v1.10.0
pkg/signature/kms/aws/v1.10.2
pkg/signature/kms/aws/v1.10.3
pkg/signature/kms/aws/v1.6.5
pkg/signature/kms/aws/v1.7.0
pkg/signature/kms/aws/v1.7.1
pkg/signature/kms/aws/v1.7.2
pkg/signature/kms/aws/v1.7.3
pkg/signature/kms/aws/v1.7.4
pkg/signature/kms/aws/v1.7.5
pkg/signature/kms/aws/v1.7.6
pkg/signature/kms/aws/v1.8.0
pkg/signature/kms/aws/v1.8.1
pkg/signature/kms/aws/v1.8.10
pkg/signature/kms/aws/v1.8.11
pkg/signature/kms/aws/v1.8.12
pkg/signature/kms/aws/v1.8.14
pkg/signature/kms/aws/v1.8.15
pkg/signature/kms/aws/v1.8.2
pkg/signature/kms/aws/v1.8.3
pkg/signature/kms/aws/v1.8.4
pkg/signature/kms/aws/v1.8.5
pkg/signature/kms/aws/v1.8.6
pkg/signature/kms/aws/v1.8.7
pkg/signature/kms/aws/v1.8.8
pkg/signature/kms/aws/v1.8.9
pkg/signature/kms/aws/v1.9.0
pkg/signature/kms/aws/v1.9.1
pkg/signature/kms/aws/v1.9.2
pkg/signature/kms/aws/v1.9.3
pkg/signature/kms/aws/v1.9.4
pkg/signature/kms/aws/v1.9.5

pkg/signature/kms/azure/v1.*

pkg/signature/kms/azure/v1.10.0
pkg/signature/kms/azure/v1.10.2
pkg/signature/kms/azure/v1.10.3
pkg/signature/kms/azure/v1.6.5
pkg/signature/kms/azure/v1.7.0
pkg/signature/kms/azure/v1.7.1
pkg/signature/kms/azure/v1.7.2
pkg/signature/kms/azure/v1.7.3
pkg/signature/kms/azure/v1.7.4
pkg/signature/kms/azure/v1.7.5
pkg/signature/kms/azure/v1.7.6
pkg/signature/kms/azure/v1.8.0
pkg/signature/kms/azure/v1.8.1
pkg/signature/kms/azure/v1.8.10
pkg/signature/kms/azure/v1.8.11
pkg/signature/kms/azure/v1.8.12
pkg/signature/kms/azure/v1.8.14
pkg/signature/kms/azure/v1.8.15
pkg/signature/kms/azure/v1.8.2
pkg/signature/kms/azure/v1.8.3
pkg/signature/kms/azure/v1.8.4
pkg/signature/kms/azure/v1.8.5
pkg/signature/kms/azure/v1.8.6
pkg/signature/kms/azure/v1.8.7
pkg/signature/kms/azure/v1.8.8
pkg/signature/kms/azure/v1.8.9
pkg/signature/kms/azure/v1.9.0
pkg/signature/kms/azure/v1.9.1
pkg/signature/kms/azure/v1.9.2
pkg/signature/kms/azure/v1.9.3
pkg/signature/kms/azure/v1.9.4
pkg/signature/kms/azure/v1.9.5

pkg/signature/kms/gcp/v1.*

pkg/signature/kms/gcp/v1.10.0
pkg/signature/kms/gcp/v1.10.2
pkg/signature/kms/gcp/v1.10.3
pkg/signature/kms/gcp/v1.6.5
pkg/signature/kms/gcp/v1.7.0
pkg/signature/kms/gcp/v1.7.1
pkg/signature/kms/gcp/v1.7.2
pkg/signature/kms/gcp/v1.7.3
pkg/signature/kms/gcp/v1.7.4
pkg/signature/kms/gcp/v1.7.5
pkg/signature/kms/gcp/v1.7.6
pkg/signature/kms/gcp/v1.8.0
pkg/signature/kms/gcp/v1.8.1
pkg/signature/kms/gcp/v1.8.10
pkg/signature/kms/gcp/v1.8.11
pkg/signature/kms/gcp/v1.8.12
pkg/signature/kms/gcp/v1.8.14
pkg/signature/kms/gcp/v1.8.15
pkg/signature/kms/gcp/v1.8.2
pkg/signature/kms/gcp/v1.8.3
pkg/signature/kms/gcp/v1.8.4
pkg/signature/kms/gcp/v1.8.5
pkg/signature/kms/gcp/v1.8.6
pkg/signature/kms/gcp/v1.8.7
pkg/signature/kms/gcp/v1.8.8
pkg/signature/kms/gcp/v1.8.9
pkg/signature/kms/gcp/v1.9.0
pkg/signature/kms/gcp/v1.9.1
pkg/signature/kms/gcp/v1.9.2
pkg/signature/kms/gcp/v1.9.3
pkg/signature/kms/gcp/v1.9.4
pkg/signature/kms/gcp/v1.9.5

pkg/signature/kms/hashivault/v1.*

pkg/signature/kms/hashivault/v1.10.0
pkg/signature/kms/hashivault/v1.10.2
pkg/signature/kms/hashivault/v1.10.3
pkg/signature/kms/hashivault/v1.6.5
pkg/signature/kms/hashivault/v1.7.0
pkg/signature/kms/hashivault/v1.7.1
pkg/signature/kms/hashivault/v1.7.2
pkg/signature/kms/hashivault/v1.7.3
pkg/signature/kms/hashivault/v1.7.4
pkg/signature/kms/hashivault/v1.7.5
pkg/signature/kms/hashivault/v1.7.6
pkg/signature/kms/hashivault/v1.8.0
pkg/signature/kms/hashivault/v1.8.1
pkg/signature/kms/hashivault/v1.8.10
pkg/signature/kms/hashivault/v1.8.11
pkg/signature/kms/hashivault/v1.8.12
pkg/signature/kms/hashivault/v1.8.14
pkg/signature/kms/hashivault/v1.8.15
pkg/signature/kms/hashivault/v1.8.2
pkg/signature/kms/hashivault/v1.8.3
pkg/signature/kms/hashivault/v1.8.4
pkg/signature/kms/hashivault/v1.8.5
pkg/signature/kms/hashivault/v1.8.6
pkg/signature/kms/hashivault/v1.8.7
pkg/signature/kms/hashivault/v1.8.8
pkg/signature/kms/hashivault/v1.8.9
pkg/signature/kms/hashivault/v1.9.0
pkg/signature/kms/hashivault/v1.9.1
pkg/signature/kms/hashivault/v1.9.2
pkg/signature/kms/hashivault/v1.9.3
pkg/signature/kms/hashivault/v1.9.4
pkg/signature/kms/hashivault/v1.9.5

v1.*

v1.0.0
v1.0.1
v1.1.0
v1.10.0
v1.10.2
v1.10.3
v1.2.0
v1.3.0
v1.3.1
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.1
v1.6.2
v1.6.3
v1.6.4
v1.6.5
v1.7.0
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.8.0
v1.8.1
v1.8.10
v1.8.11
v1.8.12
v1.8.13
v1.8.14
v1.8.15
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9
v1.9.0
v1.9.1
v1.9.2
v1.9.3
v1.9.4
v1.9.5

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-24137.json"