CVE-2026-24137
📋 TL;DR
This vulnerability in sigstore's legacy TUF client allows a malicious TUF repository to trigger arbitrary file overwriting by exploiting path traversal. It affects clients directly using the TUF client in sigstore/sigstore versions 1.10.3 and below, or older Cosign versions. Public Sigstore deployment users are unaffected due to additional validation controls.
💻 Affected Systems
- sigstore/sigstore
- Cosign (older versions)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file overwriting, potentially leading to privilege escalation, data destruction, or remote code execution if critical system files are targeted.
Likely Case
Local file corruption or overwriting within the application's permission scope, potentially disrupting application functionality or leaking sensitive data.
If Mitigated
No impact for properly configured systems using public Sigstore deployments or with caching disabled.
🎯 Exploit Status
Exploitation requires a malicious TUF repository that the client trusts. The vulnerability is straightforward path traversal.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.10.4
Vendor Advisory: https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf
Restart Required: Yes
Instructions:
1. Update sigstore/sigstore dependency to version 1.10.4 or higher. 2. Update go.mod to require sigstore/sigstore v1.10.4+. 3. Run 'go mod tidy' to update dependencies. 4. Rebuild and redeploy affected applications.
🔧 Temporary Workarounds
Disable disk caching
allPrevents the vulnerable caching mechanism from being used
export SIGSTORE_NO_CACHE=true
Migrate to sigstore-go TUF client
allUse the newer TUF implementation that doesn't have this vulnerability
Replace imports from 'github.com/sigstore/sigstore/pkg/tuf' to 'github.com/sigstore/sigstore-go/pkg/tuf'
🧯 If You Can't Patch
- Disable disk caching by setting SIGSTORE_NO_CACHE=true environment variable
- Implement strict network controls to only allow connections to trusted TUF repositories
🔍 How to Verify
Check if Vulnerable:
Check go.mod or vendor dependencies for sigstore/sigstore version ≤ 1.10.3Check Version:
grep 'sigstore/sigstore' go.mod | grep -E 'v1\.(10\.[0-3]|[0-9]\.)'Verify Fix Applied:
Confirm sigstore/sigstore version is ≥ 1.10.4 in dependencies and SIGSTORE_NO_CACHE is not required📡 Detection & Monitoring
Log Indicators:
- Unexpected file write operations outside cache directory
- TUF client errors related to path validation
Network Indicators:
- Connections to untrusted TUF repositories
SIEM Query:
process.name:"go" AND file.path:"../" AND process.args:"tuf"