GHSA-w6c6-c85g-mmv6
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w6c6-c85g-mmv6
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w6c6-c85g-mmv6/GHSA-w6c6-c85g-mmv6.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-w6c6-c85g-mmv6
- Aliases
-
- BIT-cosign-2026-39395
- CVE-2026-39395
- Published
- 2026-04-08T00:15:44Z
- Modified
- 2026-04-09T10:10:56.508139279Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Cosign's verify-blob-attestation reports false positive when payload parsing fails
- Details
-
Description
cosign verify-blob-attestationmay erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely.Impact
When
cosign verify-blob-attestationis used without--check-claimsset totrue, an attestation that has a valid signature but a malformed or unparsable payload would be incorrectly validated. Additionally, systems relying on--type <predicate type>to reject attestations with mismatched types would be lead to trust the unexpected attestation type.Patches
v3.0.6, v2.6.3
Workarounds
Always set
--check-claims=truefor attestation verification. - Database specific
{ "nvd_published_at": "2026-04-07T20:16:33Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-754" ], "github_reviewed_at": "2026-04-08T00:15:44Z" }- References
Affected packages
Go / github.com/sigstore/cosign
Package
- Name
- github.com/sigstore/cosign
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/sigstore/cosign
Go / github.com/sigstore/cosign
Package
- Name
- github.com/sigstore/cosign
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/sigstore/cosign