CVE-2026-24117 – CVE-2026-24117 is a Server-Side Request Forgery... (How to Fix)

Q: What is the severity of CVE-2026-24117?

CVE-2026-24117 has a CVSS score of 5.3 (MEDIUM). CVE-2026-24117 is a Server-Side Request Forgery (SSRF) vulnerability in Rekor's /api/v1/index/retrieve endpoint that allows attackers to trigger GET requests to arbitrary internal services. This enables blind SSRF attacks for internal network reconnaissance. Organizations running Rekor versions 1.4.3 and below with the retrieve API enabled are affected.

📋 TL;DR

CVE-2026-24117 is a Server-Side Request Forgery (SSRF) vulnerability in Rekor's /api/v1/index/retrieve endpoint that allows attackers to trigger GET requests to arbitrary internal services. This enables blind SSRF attacks for internal network reconnaissance. Organizations running Rekor versions 1.4.3 and below with the retrieve API enabled are affected.

💻 Affected Systems

Products:

sigstore/rekor

Versions: 1.4.3 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with the retrieve API enabled (default configuration).

📦 What is this software?

Rekor by Linuxfoundation

View all CVEs affecting Rekor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers map internal network services and identify potential targets for further attacks, though they cannot exfiltrate data or modify systems through this vulnerability alone.

🟠

Likely Case

Internal network reconnaissance leading to discovery of other vulnerable services that could be exploited in combination with other vulnerabilities.

🟢

If Mitigated

Limited to failed SSRF attempts that are logged and monitored, with no data exposure or system modification.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests to the vulnerable endpoint with crafted URLs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.0

Vendor Advisory: https://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Update Rekor to version 1.5.0 or later. 3. Restart the Rekor service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable retrieve API

all

Disables the vulnerable /api/v1/index/retrieve endpoint

--enable_retrieve_api=false

🧯 If You Can't Patch

Implement network segmentation to restrict Rekor's access to internal services
Deploy web application firewall rules to block SSRF attempts

🔍 How to Verify

Check if Vulnerable:

Check if running Rekor version 1.4.3 or below and if the retrieve API is enabled in configuration.

Check Version:

rekor version

Verify Fix Applied:

Verify Rekor version is 1.5.0 or later and test that SSRF attempts to the retrieve endpoint are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /api/v1/index/retrieve with external/internal URLs
Failed SSRF attempts in application logs

Network Indicators:

Outbound HTTP requests from Rekor to internal IP ranges
Unusual traffic patterns from Rekor to non-standard ports

SIEM Query:

source="rekor" AND (uri_path="/api/v1/index/retrieve" AND url_contains="http://" OR url_contains="https://")

📊 Metadata

CVE ID: CVE-2026-24117

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-918

EPSS Score: 0.04% exploit probability (11.4th percentile)

Published: January 22, 2026

Last Updated: February 2, 2026

🔗 References

https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f Patch
https://github.com/sigstore/rekor/releases/tag/v1.5.0 Product,Release Notes
https://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24117, you might also want to check these: