Vulnerability-Lookup

CVE-2026-24408 (GCVE-0-2026-24408)

Vulnerability from cvelistv5 – Published: 2026-01-26 22:21 – Updated: 2026-01-27 21:35

Title

sigstore has CSRF possibility in OIDC authentication during signing

Summary

sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue.

Severity ?

0 (None)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

CWE

CWE-352 - Cross-Site Request Forgery (CSRF)

Assigner

GitHub_M

References

URL

Tags

	https://github.com/sigstore/sigstore-python/secur…	x_refsource_CONFIRM
	https://github.com/sigstore/sigstore-python/commi…	x_refsource_MISC
	https://github.com/sigstore/sigstore-python/relea…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	sigstore	sigstore-python	Affected: < 4.2.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24408",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-27T21:35:04.864095Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-27T21:35:14.119Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "sigstore-python",
          "vendor": "sigstore",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique \"state\" and sends it as a parameter in the authentication request but the \"state\" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 0,
            "baseSeverity": "NONE",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-26T22:21:35.047Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr"
        },
        {
          "name": "https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa"
        },
        {
          "name": "https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0"
        }
      ],
      "source": {
        "advisory": "GHSA-hm8f-75xx-w2vr",
        "discovery": "UNKNOWN"
      },
      "title": "sigstore has CSRF possibility in OIDC authentication during signing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24408",
    "datePublished": "2026-01-26T22:21:35.047Z",
    "dateReserved": "2026-01-22T18:19:49.174Z",
    "dateUpdated": "2026-01-27T21:35:14.119Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-24408",
      "date": "2026-04-21",
      "epss": "6e-05",
      "percentile": "0.00453"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-24408\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-01-26T23:16:08.973\",\"lastModified\":\"2026-03-02T21:19:25.777\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique \\\"state\\\" and sends it as a parameter in the authentication request but the \\\"state\\\" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue.\"},{\"lang\":\"es\",\"value\":\"sigstore-python es una herramienta de Python para generar y verificar firmas de Sigstore. Antes de la versi\u00f3n 4.2.0, el flujo de autenticaci\u00f3n OAuth de sigstore-python es susceptible a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados. `_OAuthSession` crea un \u0027estado\u0027 \u00fanico y lo env\u00eda como par\u00e1metro en la petici\u00f3n de autenticaci\u00f3n, pero el \u0027estado\u0027 en la respuesta del servidor parece no ser verificado con este valor. La versi\u00f3n 4.2.0 contiene un parche para el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N\",\"baseScore\":0.0,\"baseSeverity\":\"NONE\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":0.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.6,\"impactScore\":3.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:sigstore-python:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.2.0\",\"matchCriteriaId\":\"7DA3586E-04FD-4D7E-85C8-BAE152F3C9D8\"}]}]}],\"references\":[{\"url\":\"https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24408\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-27T21:35:04.864095Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-27T21:35:10.160Z\"}}], \"cna\": {\"title\": \"sigstore has CSRF possibility in OIDC authentication during signing\", \"source\": {\"advisory\": \"GHSA-hm8f-75xx-w2vr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 0, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"NONE\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"sigstore\", \"product\": \"sigstore-python\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.2.0\"}]}], \"references\": [{\"url\": \"https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr\", \"name\": \"https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa\", \"name\": \"https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0\", \"name\": \"https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique \\\"state\\\" and sends it as a parameter in the authentication request but the \\\"state\\\" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"CWE-352: Cross-Site Request Forgery (CSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-01-26T22:21:35.047Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-24408\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-27T21:35:14.119Z\", \"dateReserved\": \"2026-01-22T18:19:49.174Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-01-26T22:21:35.047Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-HM8F-75XX-W2VR

Vulnerability from github – Published: 2026-01-26 21:34 – Updated: 2026-01-29 03:24

Summary

sigstore CSRF possibility in OIDC authentication during signing

Details

Summary

The sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery.

Details

_OAuthSession creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value.

Fix should be fairly trivial.

Impact

This should be low impact: A man-in-the middle attacker could trick a sigstore-python user into signing something with an identity controlled by the attacker (by returning the response to an authentication request they created). This would be quite confusing but not dangerous.

Severity ?

0.0 (None)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "sigstore"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-24408"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-26T21:34:50Z",
    "nvd_published_at": "2026-01-26T23:16:08Z",
    "severity": "LOW"
  },
  "details": "### Summary\n\nThe sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery.\n\n### Details\n\n`_OAuthSession` creates a unique \"state\" and sends it as a parameter in the authentication request but the \"state\" in the server response seems not not be cross-checked with this value. \n\nFix should be fairly trivial.\n\n### Impact\n\nThis should be low impact: A man-in-the middle attacker could trick a sigstore-python user into signing something with an identity controlled by the attacker (by returning the response to an authentication request they created). This would be quite confusing but not dangerous.",
  "id": "GHSA-hm8f-75xx-w2vr",
  "modified": "2026-01-29T03:24:33Z",
  "published": "2026-01-26T21:34:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24408"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sigstore/sigstore-python"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "sigstore CSRF possibility in OIDC authentication during signing"
}

FKIE_CVE-2026-24408

Vulnerability from fkie_nvd - Published: 2026-01-26 23:16 - Updated: 2026-03-02 21:19

Severity ?

0.0 (None) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N
5.0 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa	Patch
security-advisories@github.com	https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0	Product, Release Notes
security-advisories@github.com	https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr	Vendor Advisory

Impacted products

	Vendor	Product	Version
	linuxfoundation	sigstore-python	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:linuxfoundation:sigstore-python:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7DA3586E-04FD-4D7E-85C8-BAE152F3C9D8",
              "versionEndExcluding": "4.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique \"state\" and sends it as a parameter in the authentication request but the \"state\" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue."
    },
    {
      "lang": "es",
      "value": "sigstore-python es una herramienta de Python para generar y verificar firmas de Sigstore. Antes de la versi\u00f3n 4.2.0, el flujo de autenticaci\u00f3n OAuth de sigstore-python es susceptible a la falsificaci\u00f3n de petici\u00f3n en sitios cruzados. `_OAuthSession` crea un \u0027estado\u0027 \u00fanico y lo env\u00eda como par\u00e1metro en la petici\u00f3n de autenticaci\u00f3n, pero el \u0027estado\u0027 en la respuesta del servidor parece no ser verificado con este valor. La versi\u00f3n 4.2.0 contiene un parche para el problema."
    }
  ],
  "id": "CVE-2026-24408",
  "lastModified": "2026-03-02T21:19:25.777",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 0.0,
          "baseSeverity": "NONE",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 0.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 3.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-26T23:16:08.973",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

OPENSUSE-SU-2026:10104-1

Vulnerability from csaf_opensuse - Published: 2026-01-27 00:00 - Updated: 2026-01-27 00:00

Summary

python311-sigstore-4.2.0-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: python311-sigstore-4.2.0-1.1 on GA media

Description of the patch: These are all security issues fixed in the python311-sigstore-4.2.0-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10104

CVE-2026-24408

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-24408/	self
	https://www.suse.com/security/cve/CVE-2026-24408	external
	https://bugzilla.suse.com/1257303	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python311-sigstore-4.2.0-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python311-sigstore-4.2.0-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10104",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10104-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-24408 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-24408/"
      }
    ],
    "title": "python311-sigstore-4.2.0-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-01-27T00:00:00Z",
      "generator": {
        "date": "2026-01-27T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10104-1",
      "initial_release_date": "2026-01-27T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-01-27T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-sigstore-4.2.0-1.1.aarch64",
                "product": {
                  "name": "python311-sigstore-4.2.0-1.1.aarch64",
                  "product_id": "python311-sigstore-4.2.0-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-sigstore-4.2.0-1.1.aarch64",
                "product": {
                  "name": "python312-sigstore-4.2.0-1.1.aarch64",
                  "product_id": "python312-sigstore-4.2.0-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-sigstore-4.2.0-1.1.aarch64",
                "product": {
                  "name": "python313-sigstore-4.2.0-1.1.aarch64",
                  "product_id": "python313-sigstore-4.2.0-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-sigstore-4.2.0-1.1.ppc64le",
                "product": {
                  "name": "python311-sigstore-4.2.0-1.1.ppc64le",
                  "product_id": "python311-sigstore-4.2.0-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python312-sigstore-4.2.0-1.1.ppc64le",
                "product": {
                  "name": "python312-sigstore-4.2.0-1.1.ppc64le",
                  "product_id": "python312-sigstore-4.2.0-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-sigstore-4.2.0-1.1.ppc64le",
                "product": {
                  "name": "python313-sigstore-4.2.0-1.1.ppc64le",
                  "product_id": "python313-sigstore-4.2.0-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-sigstore-4.2.0-1.1.s390x",
                "product": {
                  "name": "python311-sigstore-4.2.0-1.1.s390x",
                  "product_id": "python311-sigstore-4.2.0-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python312-sigstore-4.2.0-1.1.s390x",
                "product": {
                  "name": "python312-sigstore-4.2.0-1.1.s390x",
                  "product_id": "python312-sigstore-4.2.0-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-sigstore-4.2.0-1.1.s390x",
                "product": {
                  "name": "python313-sigstore-4.2.0-1.1.s390x",
                  "product_id": "python313-sigstore-4.2.0-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python311-sigstore-4.2.0-1.1.x86_64",
                "product": {
                  "name": "python311-sigstore-4.2.0-1.1.x86_64",
                  "product_id": "python311-sigstore-4.2.0-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-sigstore-4.2.0-1.1.x86_64",
                "product": {
                  "name": "python312-sigstore-4.2.0-1.1.x86_64",
                  "product_id": "python312-sigstore-4.2.0-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-sigstore-4.2.0-1.1.x86_64",
                "product": {
                  "name": "python313-sigstore-4.2.0-1.1.x86_64",
                  "product_id": "python313-sigstore-4.2.0-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-sigstore-4.2.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-sigstore-4.2.0-1.1.aarch64"
        },
        "product_reference": "python311-sigstore-4.2.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-sigstore-4.2.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-sigstore-4.2.0-1.1.ppc64le"
        },
        "product_reference": "python311-sigstore-4.2.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-sigstore-4.2.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-sigstore-4.2.0-1.1.s390x"
        },
        "product_reference": "python311-sigstore-4.2.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-sigstore-4.2.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-sigstore-4.2.0-1.1.x86_64"
        },
        "product_reference": "python311-sigstore-4.2.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-sigstore-4.2.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-sigstore-4.2.0-1.1.aarch64"
        },
        "product_reference": "python312-sigstore-4.2.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-sigstore-4.2.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-sigstore-4.2.0-1.1.ppc64le"
        },
        "product_reference": "python312-sigstore-4.2.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-sigstore-4.2.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-sigstore-4.2.0-1.1.s390x"
        },
        "product_reference": "python312-sigstore-4.2.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-sigstore-4.2.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-sigstore-4.2.0-1.1.x86_64"
        },
        "product_reference": "python312-sigstore-4.2.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-sigstore-4.2.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-sigstore-4.2.0-1.1.aarch64"
        },
        "product_reference": "python313-sigstore-4.2.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-sigstore-4.2.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-sigstore-4.2.0-1.1.ppc64le"
        },
        "product_reference": "python313-sigstore-4.2.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-sigstore-4.2.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-sigstore-4.2.0-1.1.s390x"
        },
        "product_reference": "python313-sigstore-4.2.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-sigstore-4.2.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-sigstore-4.2.0-1.1.x86_64"
        },
        "product_reference": "python313-sigstore-4.2.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-24408",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-24408"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique \"state\" and sends it as a parameter in the authentication request but the \"state\" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python311-sigstore-4.2.0-1.1.aarch64",
          "openSUSE Tumbleweed:python311-sigstore-4.2.0-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-sigstore-4.2.0-1.1.s390x",
          "openSUSE Tumbleweed:python311-sigstore-4.2.0-1.1.x86_64",
          "openSUSE Tumbleweed:python312-sigstore-4.2.0-1.1.aarch64",
          "openSUSE Tumbleweed:python312-sigstore-4.2.0-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-sigstore-4.2.0-1.1.s390x",
          "openSUSE Tumbleweed:python312-sigstore-4.2.0-1.1.x86_64",
          "openSUSE Tumbleweed:python313-sigstore-4.2.0-1.1.aarch64",
          "openSUSE Tumbleweed:python313-sigstore-4.2.0-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-sigstore-4.2.0-1.1.s390x",
          "openSUSE Tumbleweed:python313-sigstore-4.2.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-24408",
          "url": "https://www.suse.com/security/cve/CVE-2026-24408"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1257303 for CVE-2026-24408",
          "url": "https://bugzilla.suse.com/1257303"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python311-sigstore-4.2.0-1.1.aarch64",
            "openSUSE Tumbleweed:python311-sigstore-4.2.0-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-sigstore-4.2.0-1.1.s390x",
            "openSUSE Tumbleweed:python311-sigstore-4.2.0-1.1.x86_64",
            "openSUSE Tumbleweed:python312-sigstore-4.2.0-1.1.aarch64",
            "openSUSE Tumbleweed:python312-sigstore-4.2.0-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-sigstore-4.2.0-1.1.s390x",
            "openSUSE Tumbleweed:python312-sigstore-4.2.0-1.1.x86_64",
            "openSUSE Tumbleweed:python313-sigstore-4.2.0-1.1.aarch64",
            "openSUSE Tumbleweed:python313-sigstore-4.2.0-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-sigstore-4.2.0-1.1.s390x",
            "openSUSE Tumbleweed:python313-sigstore-4.2.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-01-27T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-24408"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-24408 (GCVE-0-2026-24408)

GHSA-HM8F-75XX-W2VR

Summary

Details

Impact

FKIE_CVE-2026-24408

OPENSUSE-SU-2026:10104-1

Tags

Sightings

Nomenclature