CVE-2026-44309

Source
https://cve.org/CVERecord?id=CVE-2026-44309
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44309.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44309
Aliases
Downstream
Related
Published
2026-05-15T16:22:51.260Z
Modified
2026-07-15T01:49:11.116929957Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits
Details

Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying against the raw git object bytes. For malformed objects with duplicate tree headers, git-core and go-git parse different trees: git-core uses the first, go-git uses the second. A signature crafted over the go-git-normalized form (second tree) passes gitsign verify while git-core resolves the commit to a completely different tree. This breaks the invariant that a verified signature, the commit semantics git-core presents to users, and the object hash logged in Rekor all refer to the same content. This vulnerability is fixed in 0.16.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44309.json",
    "cwe_ids": [
        "CWE-295",
        "CWE-347"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/sigstore/gitsign

Affected ranges

Type
GIT
Repo
https://github.com/sigstore/gitsign
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.16.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v0.*
v0.0.0-test
v0.0.1-alpha
v0.0.2-alpha
v0.1.0
v0.1.1
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.15.1
v0.2.0
v0.3.0
v0.3.1
v0.3.2
v0.4.0
v0.4.1
v0.5.0
v0.5.1
v0.5.2
v0.6.0
v0.7.0
v0.7.1
v0.8.0
v0.8.1
v0.9.0
v0.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44309.json"