Description
Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the issuing certificate should be considered expired. When verifying artifact signatures using a certificate, Cosign first verifies the certificate chain using the leaf certificate's "not before" timestamp and later checks expiry of the leaf certificate using either a signed timestamp provided by the Rekor transparency log or from a timestamp authority, or using the current time. The root and all issuing certificates are assumed to be valid during the leaf certificate's validity. There is no impact to users of the public Sigstore infrastructure. This may affect private deployments with customized PKIs. This issue has been fixed in version 3.0.5.
Published: 2026-02-19
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Certificate Chain Validation Failure
Action: Immediate Patch
AI Analysis

Impact

Cosign certificates in versions 3.0.4 and earlier allow an intermediate or issuing certificate that is already expired to be accepted as valid if the leaf certificate has a later expiration and a timestamp may be provided. The validation process first checks the leaf certificate’s “not before” date and later verifies the leaf expiry, assuming all ancestor certificates are valid for that period. Consequently, an attacker could produce a signature chain with an expired intermediate certificate that still passes verification, undermining the integrity of the signed artifacts and the trust model of the system.

Affected Systems

The vulnerability affects sigstore cosign deployments running version 3.0.4 or earlier. The issue does not impact the public Sigstore infrastructure but may affect organizations with private deployments that use custom PKIs or custom certificate chains.

Risk and Exploitability

The CVSS score of 3.7 indicates moderate severity. EPSS is reported as less than 1 %, showing a very low likelihood of exploitation in the wild, and it is not listed in the CISA KEV catalog. The vulnerability is exploitable during the signature verification phase when an artifact is processed by cosign; an attacker with the ability to supply or forge a certificate chain could bypass expiry checks. The attack likely requires internal or privileged access to the cosign signing workflow or a compromised PKI allowing the creation of expired intermediate certificates. Given the low EPSS, the prevailing risk is moderate but still warrants action.

Generated by OpenCVE AI on April 17, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade sigstore cosign to version 3.0.5 or later where the validation issue is fixed.
  • If an upgrade is not immediately possible, review and tighten your custom PKI configuration to ensure all intermediate certificates have expiry dates that do not precede the leaf certificate’s validity.
  • Re‑sign any artifacts that were signed with a chain containing the expired intermediate certificate to re‑establish a trusted signature chain.

Generated by OpenCVE AI on April 17, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wfqv-66vq-46rm Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped
History

Sat, 21 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:sigstore:cosign:*:*:*:*:*:*:*:*

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Sigstore
Sigstore cosign
Vendors & Products Sigstore
Sigstore cosign

Thu, 19 Feb 2026 22:45:00 +0000

Type Values Removed Values Added
Description Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if the provided timestamp would mean the issuing certificate should be considered expired. When verifying artifact signatures using a certificate, Cosign first verifies the certificate chain using the leaf certificate's "not before" timestamp and later checks expiry of the leaf certificate using either a signed timestamp provided by the Rekor transparency log or from a timestamp authority, or using the current time. The root and all issuing certificates are assumed to be valid during the leaf certificate's validity. There is no impact to users of the public Sigstore infrastructure. This may affect private deployments with customized PKIs. This issue has been fixed in version 3.0.5.
Title Cosign Certificate Chain Expiry Validation Issue Allows Issuing Certificate Expiry to Be Overlooked
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Sigstore Cosign
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:41:03.939Z

Reserved: 2026-01-21T18:38:22.473Z

Link: CVE-2026-24122

cve-icon Vulnrichment

Updated: 2026-02-20T15:27:30.220Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T23:16:24.517

Modified: 2026-02-20T19:04:02.700

Link: CVE-2026-24122

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-19T22:27:08Z

Links: CVE-2026-24122 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:00:12Z

Weaknesses