CVE-2026-22703 – Cosign versions prior to 2.6.2 and 3.0.4 have a... (How to Fix)

Q: What is the severity of CVE-2026-22703?

CVE-2026-22703 has a CVSS score of 5.5 (MEDIUM). Cosign versions prior to 2.6.2 and 3.0.4 have a vulnerability where crafted bundles can bypass verification checks, allowing malicious actors with compromised identities or signing keys to create valid bundles with arbitrary Rekor entries. This prevents proper auditing of signing events and affects users relying on Cosign for container and binary code signing.

📋 TL;DR

Cosign versions prior to 2.6.2 and 3.0.4 have a vulnerability where crafted bundles can bypass verification checks, allowing malicious actors with compromised identities or signing keys to create valid bundles with arbitrary Rekor entries. This prevents proper auditing of signing events and affects users relying on Cosign for container and binary code signing.

💻 Affected Systems

Products:

Cosign

Versions: All versions prior to 2.6.2 and 3.0.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Cosign bundle verification functionality when using Rekor for transparency log entries.

📦 What is this software?

Cosign by Sigstore

View all CVEs affecting Cosign →

Cosign by Sigstore

View all CVEs affecting Cosign →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with compromised signing keys could create fraudulent signed artifacts that appear legitimate, enabling supply chain attacks with malicious containers or binaries.

🟠

Likely Case

Malicious actors could hide unauthorized signing activities, preventing detection and audit of compromised signing events.

🟢

If Mitigated

With proper key management and monitoring, impact is limited to audit trail disruption rather than unauthorized artifact execution.

🌐 Internet-Facing: MEDIUM - Exploitation requires compromised signing credentials but could affect publicly distributed containers.

🏢 Internal Only: MEDIUM - Internal build pipelines using vulnerable Cosign versions could be affected if credentials are compromised.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires compromised signing credentials or identity, making it targeted rather than opportunistic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.2 and 3.0.4

Vendor Advisory: https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m

Restart Required: No

Instructions:

1. Update Cosign to version 2.6.2 or 3.0.4. 2. For containerized deployments, rebuild images with updated Cosign binary. 3. Verify bundle verification now properly checks Rekor entry contents.

🔧 Temporary Workarounds

Disable bundle verification

all

Temporarily disable Cosign bundle verification until patched

cosign verify --skip-verify-bundle

🧯 If You Can't Patch

Implement strict access controls for signing keys and credentials
Monitor Rekor logs for suspicious signing events and verify manually

🔍 How to Verify

Check if Vulnerable:

Run 'cosign version' and check if version is below 2.6.2 or 3.0.4

Check Version:

cosign version

Verify Fix Applied:

After updating, verify a known good bundle with 'cosign verify' and ensure it properly validates Rekor entry contents

📡 Detection & Monitoring

Log Indicators:

Failed bundle verification attempts
Mismatched digests in verification logs
Unexpected Rekor entry IDs in verification

Network Indicators:

Unusual patterns of bundle verification requests
Requests to Rekor with mismatched artifact data

SIEM Query:

source="cosign" AND (event="verify" AND result="success" AND bundle_verification="true") | stats count by artifact_digest

📊 Metadata

CVE ID: CVE-2026-22703

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-345

EPSS Score: 0.01% exploit probability (0.2th percentile)

Published: January 10, 2026

Last Updated: February 5, 2026

🔗 References

https://github.com/sigstore/cosign/commit/6832fba4928c1ad69400235bbc41212de5006176 Patch
https://github.com/sigstore/cosign/pull/4623 Issue Tracking
https://github.com/sigstore/cosign/security/advisories/GHSA-whqx-f9j3-ch6m Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22703, you might also want to check these: