CVE-2026-24408
sigstore CSRF possibility in OIDC authentication during signing
Description
### Summary The sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. ### Details `_OAuthSession` creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Fix should be fairly trivial. ### Impact This should be low impact: A man-in-the middle attacker could trick a sigstore-python user into signing something with an identity controlled by the attacker (by returning the response to an authentication request they created). This would be quite confusing but not dangerous.
How to fix CVE-2026-24408
To remediate CVE-2026-24408, upgrade the affected package to a fixed version below.
- —upgrade to 4.2.0 or later
Is CVE-2026-24408 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 4.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | NONE0.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N |