Vulnerability Description
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with --enable_retrieve_api=false.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Rekor | < 1.5.0 |
Related Weaknesses (CWE)
References
- https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275Patch
- https://github.com/sigstore/rekor/releases/tag/v1.5.0ProductRelease Notes
- https://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9jVendor Advisory
FAQ
What is CVE-2026-24117?
CVE-2026-24117 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public ke...
How severe is CVE-2026-24117?
CVE-2026-24117 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-24117?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Rekor.