CVE-2026-59891

Source
https://cve.org/CVERecord?id=CVE-2026-59891
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59891.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59891
Aliases
  • GHSA-pf56-329r-95rw
Published
2026-07-14T16:54:50.608Z
Modified
2026-07-17T03:42:03.230564929Z
Severity
  • 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Credential confusion in  @sigstore/oci  can leak registry credentials to an attacker-controlled registry
Details

sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 0.7.1, getRegistryCredentials() reads credentials from the Docker config file and selects an entry by checking whether any configured auth key contains the target registry string. Because this is a substring match rather than an exact host match, credentials configured for one registry can be selected for and transmitted to a different registry whose hostname has a substring relationship with a configured auth key. This issue is fixed in version 0.7.1.

Database specific
{
    "cwe_ids": [
        "CWE-522"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59891.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/sigstore/sigstore-js

Affected ranges

Type
GIT
Repo
https://github.com/sigstore/sigstore-js
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.7.1"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

@sigstore/bundle@1.*
@sigstore/bundle@1.0.0
@sigstore/bundle@1.1.0
@sigstore/bundle@2.*
@sigstore/bundle@2.0.0
@sigstore/bundle@2.1.0
@sigstore/bundle@2.1.1
@sigstore/bundle@2.2.0
@sigstore/bundle@2.3.0
@sigstore/bundle@2.3.1
@sigstore/bundle@2.3.2
@sigstore/bundle@3.*
@sigstore/bundle@3.0.0
@sigstore/bundle@3.1.0
@sigstore/bundle@4.*
@sigstore/bundle@4.0.0
@sigstore/bundle@5.*
@sigstore/bundle@5.0.0
@sigstore/cli@0.*
@sigstore/cli@0.0.2
@sigstore/cli@0.0.3
@sigstore/cli@0.0.4
@sigstore/cli@0.0.5
@sigstore/cli@0.1.0
@sigstore/cli@0.1.1
@sigstore/cli@0.1.2
@sigstore/cli@0.10.0
@sigstore/cli@0.2.0
@sigstore/cli@0.2.1
@sigstore/cli@0.3.0
@sigstore/cli@0.4.0
@sigstore/cli@0.5.0
@sigstore/cli@0.6.0
@sigstore/cli@0.7.0
@sigstore/cli@0.7.1
@sigstore/cli@0.8.0
@sigstore/cli@0.8.1
@sigstore/cli@0.8.2
@sigstore/cli@0.9.0
@sigstore/cli@0.9.1
@sigstore/core@0.*
@sigstore/core@0.1.0
@sigstore/core@0.2.0
@sigstore/core@1.*
@sigstore/core@1.0.0
@sigstore/core@1.1.0
@sigstore/core@2.*
@sigstore/core@2.0.0
@sigstore/core@3.*
@sigstore/core@3.0.0
@sigstore/core@3.2.0
@sigstore/core@3.2.1
@sigstore/core@4.*
@sigstore/core@4.0.0
@sigstore/mock@0.*
@sigstore/mock@0.1.0
@sigstore/mock@0.1.1
@sigstore/mock@0.10.0
@sigstore/mock@0.11.0
@sigstore/mock@0.12.0
@sigstore/mock@0.12.1
@sigstore/mock@0.13.0
@sigstore/mock@0.2.0
@sigstore/mock@0.3.0
@sigstore/mock@0.4.0
@sigstore/mock@0.5.0
@sigstore/mock@0.6.0
@sigstore/mock@0.6.1
@sigstore/mock@0.6.2
@sigstore/mock@0.6.3
@sigstore/mock@0.6.4
@sigstore/mock@0.6.5
@sigstore/mock@0.7.0
@sigstore/mock@0.7.1
@sigstore/mock@0.7.2
@sigstore/mock@0.7.3
@sigstore/mock@0.7.4
@sigstore/mock@0.7.5
@sigstore/mock@0.8.0
@sigstore/mock@0.9.0
@sigstore/oci@0.*
@sigstore/oci@0.1.0
@sigstore/oci@0.2.0
@sigstore/oci@0.3.0
@sigstore/oci@0.3.1
@sigstore/oci@0.3.2
@sigstore/oci@0.3.3
@sigstore/oci@0.3.4
@sigstore/oci@0.3.5
@sigstore/oci@0.3.6
@sigstore/oci@0.3.7
@sigstore/oci@0.4.0
@sigstore/oci@0.5.0
@sigstore/oci@0.6.0
@sigstore/oci@0.6.1
@sigstore/oci@0.7.0
@sigstore/rekor-types@0.*
@sigstore/rekor-types@0.0.2
@sigstore/rekor-types@0.0.3
@sigstore/rekor-types@1.*
@sigstore/rekor-types@1.0.0
@sigstore/rekor-types@2.*
@sigstore/rekor-types@2.0.0
@sigstore/rekor-types@3.*
@sigstore/rekor-types@3.0.0
@sigstore/rekor-types@4.*
@sigstore/rekor-types@4.0.0
@sigstore/rekor-types@5.*
@sigstore/rekor-types@5.0.0
@sigstore/sign@1.*
@sigstore/sign@1.0.0
@sigstore/sign@2.*
@sigstore/sign@2.0.0
@sigstore/sign@2.1.0
@sigstore/sign@2.2.0
@sigstore/sign@2.2.1
@sigstore/sign@2.2.2
@sigstore/sign@2.2.3
@sigstore/sign@2.3.0
@sigstore/sign@2.3.1
@sigstore/sign@2.3.2
@sigstore/sign@3.*
@sigstore/sign@3.0.0
@sigstore/sign@3.1.0
@sigstore/sign@4.*
@sigstore/sign@4.0.0
@sigstore/sign@4.0.1
@sigstore/sign@4.1.1
@sigstore/sign@5.*
@sigstore/sign@5.0.0
@sigstore/tuf@1.*
@sigstore/tuf@1.0.0
@sigstore/tuf@1.0.1
@sigstore/tuf@1.0.2
@sigstore/tuf@1.0.3
@sigstore/tuf@2.*
@sigstore/tuf@2.0.0
@sigstore/tuf@2.1.0
@sigstore/tuf@2.2.0
@sigstore/tuf@2.3.0
@sigstore/tuf@2.3.1
@sigstore/tuf@2.3.2
@sigstore/tuf@2.3.3
@sigstore/tuf@2.3.4
@sigstore/tuf@3.*
@sigstore/tuf@3.0.0
@sigstore/tuf@3.1.0
@sigstore/tuf@3.1.1
@sigstore/tuf@4.*
@sigstore/tuf@4.0.0
@sigstore/tuf@4.0.2
@sigstore/tuf@5.*
@sigstore/tuf@5.0.0
@sigstore/verify@0.*
@sigstore/verify@0.1.0
@sigstore/verify@1.*
@sigstore/verify@1.0.0
@sigstore/verify@1.1.0
@sigstore/verify@1.1.1
@sigstore/verify@1.2.0
@sigstore/verify@1.2.1
@sigstore/verify@2.*
@sigstore/verify@2.0.0
@sigstore/verify@2.1.0
@sigstore/verify@2.1.1
@sigstore/verify@3.*
@sigstore/verify@3.0.0
@sigstore/verify@3.1.1
@sigstore/verify@4.*
@sigstore/verify@4.0.0
sigstore@1.*
sigstore@1.5.1
sigstore@1.5.2
sigstore@1.6.0
sigstore@1.7.0
sigstore@1.8.0
sigstore@1.9.0
sigstore@2.*
sigstore@2.0.0
sigstore@2.1.0
sigstore@2.2.0
sigstore@2.2.1
sigstore@2.2.2
sigstore@2.3.0
sigstore@2.3.1
sigstore@3.*
sigstore@3.0.0
sigstore@3.1.0
sigstore@4.*
sigstore@4.0.0
sigstore@4.1.0
sigstore@4.1.1
sigstore@5.*
sigstore@5.0.0
v0.*
v0.0.1-alpha.5
v0.1.0
v0.1.1
v0.2.0
v0.3.0
v0.4.0
v1.*
v1.0.0
v1.0.0-beta.1
v1.1.0
v1.1.1
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.4.0
v1.5.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59891.json"