Description
Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by including any arbitrary Rekor entry, thus preventing the user from being able to audit the signing event. This issue has been patched in versions 2.6.2 and 3.0.4.
Published: 2026-01-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized artifact acceptance
Action: Patch
AI Analysis

Impact

Cosign allows an artifact bundle to be considered verified even when the included Rekor entry does not match the artifact’s digest, signature, or public key. Without these comparisons, a bundle may reference any valid Rekor log entry, resulting in the acceptance of artifacts that have never been legitimately signed. This flaw permits an attacker who has compromised a signing key or identity to insert a crafted repository entry, undermining the integrity guarantees that Cosign is designed to provide.

Affected Systems

The vulnerability affects the cosign tool from the sigstore project, specifically versions before 2.6.2 and 3.0.4. Users running these earlier releases must ensure they upgrade to a patched version to mitigate the risk.

Risk and Exploitability

The vulnerability has a CVSS score of 5.5, indicating moderate severity, and an EPSS score of less than 1%, signifying a low likelihood of exploitation in current general use. It is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a crafted Cosign bundle, which typically implies either a pre‑existing compromise of the signing key or malicious local control over the verification process. Given this prerequisite, the practical attack vector is limited to environments where an adversary can influence the verification input or has already gained signing credentials.

Generated by OpenCVE AI on April 18, 2026 at 16:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade cosign to version 2.6.2 or later (including 3.0.4 and newer)
  • Re‑sign all existing artifacts with the patched cosign to ensure the bundle references match the correct digest and public key
  • Update CI/CD workflows to enforce the use of the latest cosign version and to reject any non‑standard or externally supplied Rekor entries

Generated by OpenCVE AI on April 18, 2026 at 16:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-whqx-f9j3-ch6m Cosign verification accepts any valid Rekor entry under certain conditions
History

Thu, 05 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sigstore:cosign:*:*:*:*:*:*:*:*

Wed, 14 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 12 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Sigstore
Sigstore cosign
Vendors & Products Sigstore
Sigstore cosign

Sat, 10 Jan 2026 06:30:00 +0000

Type Values Removed Values Added
Description Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by including any arbitrary Rekor entry, thus preventing the user from being able to audit the signing event. This issue has been patched in versions 2.6.2 and 3.0.4.
Title Cosign verification accepts any valid Rekor entry under certain conditions
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Sigstore Cosign
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-12T16:43:57.302Z

Reserved: 2026-01-08T19:23:09.857Z

Link: CVE-2026-22703

cve-icon Vulnrichment

Updated: 2026-01-12T16:43:54.654Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T07:16:03.030

Modified: 2026-02-05T20:59:07.633

Link: CVE-2026-22703

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-10T06:11:09Z

Links: CVE-2026-22703 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:45:05Z

Weaknesses