GHSA-xm5m-wgh2-rrg3

Suggest an improvement
Source
https://github.com/advisories/GHSA-xm5m-wgh2-rrg3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xm5m-wgh2-rrg3/GHSA-xm5m-wgh2-rrg3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-xm5m-wgh2-rrg3
Aliases
  • CVE-2026-39984
Downstream
Related
Published
2026-04-14T01:01:59Z
Modified
2026-04-16T22:29:17.145333881Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Sigstore Timestamp Authority has Improper Certificate Validation in verifier
Details

Authorization bypass via certificate bag manipulation in sigstore/timestamp-authority verifier

An authorization bypass vulnerability exists in sigstore/timestamp-authority verifier (timestamp-authority/v2/pkg/verification): VerifyTimestampResponse function correctly verifies the certificate chain but when the TSA specific constraints are verified in VerifyLeafCert, the first non-CA certificate from the PKCS#7 certificate bag is used instead of the leaf certificate from the certificate chain. An attacker can exploit this by prepending a forged certificate to the certificate bag while the message is signed with an authorized key. The library validates the signature using the one certificate but performs authorization checks on the another, allowing an attacker to bypass some authorization controls.

This vulnerability does not apply to timestamp-authority service, only to users of timestamp-authority/v2/pkg/verification package.

This vulnerability does not apply to sigstore-go even though it is a user of timestamp-authority/v2/pkg/verification: Providing TSACertificate option to VerifyTimestampResponse fully mitigates the issue.

Patches

The issue will be fixed in timestamp-authority 2.0.6

Workarounds

Users of VerifyTimestampResponse can use the TSACertificate option to specify the exact certificate they expect to be used: this fully mitigates the issue.

References

This issue was found after reading CVE-2026-33753 / GHSA-3xxc-pwj6-jgrj (originally reported by @Jaynornj and @Pr00fOf3xpl0it)

Database specific 
{
    "github_reviewed": true,
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-295"
    ],
    "github_reviewed_at": "2026-04-14T01:01:59Z",
    "severity": "MODERATE"
}
References

Affected packages

Go / github.com/sigstore/timestamp-authority/v2

Package

Name
github.com/sigstore/timestamp-authority/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/sigstore/timestamp-authority/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.0.6

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xm5m-wgh2-rrg3/GHSA-xm5m-wgh2-rrg3.json"
last_known_affected_version_range 
"<= 2.0.5"