Description
gittuf is a platform-agnostic Git security system. Prior to 0.14.0, an attacker with push access to gittuf's Reference State Log (RSL) can roll back the current policy to any previous policy trusted by the current set of root keys. gittuf determines the policy to load by inspecting the RSL. Except for the very first policy (which is automatically trusted given gittuf's TOFU model, or verified against manually specified keys), whenever an RSL entry that points to a new policy is encountered, gittuf validates that this policy is trusted. This is done by checking that the new policy’s root metadata is signed by the required threshold of the current policy's root keys. Because of this, an attacker with push access to the RSL may create a new entry that references an old policy (that is trusted by the most recent policy's set of root keys), thereby rolling back gittuf's policy to the attacker's chosen state. This vulnerability is fixed in 0.14.0.
Published: 2026-05-14
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The anomaly allows an actor with push rights on the Reference State Log to forge a new log entry pointing to an older policy. Because the policy loader validates only that the referenced policy is signed by the current policy’s root keys, the attacker can effectively downgrade the active policy to an earlier state that may lack recent security enhancements or trust compromised root keys. This rollback enables the re‑introduction of legacy vulnerabilities and the removal of newer safeguards, constituting an instance of broken access control (CWE‑639).

Affected Systems

The vulnerability affects the Git TUF (gittuf) platform used to enforce datastore integrity. All versions prior to 0.14.0 that rely on a git repository to host their Reference State Log are susceptible; any deployment that grants write access to that repository—especially in open‑source or collaborator‑heavy environments—matches the affected scenario.

Risk and Exploitability

With a CVSS score of 4.9 the flaw is rated low on the metrics of confidentiality, integrity, and availability, and the EPSS score is not available. It is not listed in CISA’s KEV catalog. Exploitation requires write access to the RSL, which is often limited to trusted users or administrators. In organizations where that permission is eased to general contributors, the attack vector becomes viable and could pave the way for more severe attacks when combined with other weaknesses.

Generated by OpenCVE AI on May 14, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade gittuf to version 0.14.0 or later to apply the patch
  • Restrict push access on the Reference State Log to only trusted users or administrators
  • Audit the RSL repository for unauthorized policy references and enforce strict permissions

Generated by OpenCVE AI on May 14, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vxvc-cg7j-rwqj gittuf's policy can be rolled back to prior valid versions
History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Gittuf
Gittuf gittuf
Vendors & Products Gittuf
Gittuf gittuf

Thu, 14 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description gittuf is a platform-agnostic Git security system. Prior to 0.14.0, an attacker with push access to gittuf's Reference State Log (RSL) can roll back the current policy to any previous policy trusted by the current set of root keys. gittuf determines the policy to load by inspecting the RSL. Except for the very first policy (which is automatically trusted given gittuf's TOFU model, or verified against manually specified keys), whenever an RSL entry that points to a new policy is encountered, gittuf validates that this policy is trusted. This is done by checking that the new policy’s root metadata is signed by the required threshold of the current policy's root keys. Because of this, an attacker with push access to the RSL may create a new entry that references an old policy (that is trusted by the most recent policy's set of root keys), thereby rolling back gittuf's policy to the attacker's chosen state. This vulnerability is fixed in 0.14.0.
Title gittuf: Policy can be rolled back to prior valid version
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Gittuf Gittuf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T18:05:22.406Z

Reserved: 2026-05-06T19:38:10.568Z

Link: CVE-2026-44544

cve-icon Vulnrichment

Updated: 2026-05-15T16:44:14.864Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T18:16:50.297

Modified: 2026-05-14T18:27:25.110

Link: CVE-2026-44544

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:21:08Z

Weaknesses