Vulnerability Description
sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue.
CVSS Score
NONE
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Sigstore-Python | < 4.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ePatch
- https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0ProductRelease Notes
- https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-wVendor Advisory
FAQ
What is CVE-2026-24408?
CVE-2026-24408 is a vulnerability with a CVSS score of 0.0 (NONE). sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `...
How severe is CVE-2026-24408?
CVE-2026-24408 has been rated NONE with a CVSS base score of 0.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-24408?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Sigstore-Python.