CVE-2026-24408
MEDIUM WAF: Low
CVSS 5.0
Published: 2026-01-26
CWE-352
sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue.
WAF Coverage Analysis
Cross-Site Request Forgery (CSRF)
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| linuxfoundation | sigstore-python | up to 4.2.0 |
References
- github.com (Patch)
- github.com (Product, Release Notes)
- github.com (Vendor Advisory)