Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2026-24408

Good to know:

icon
icon

Date: January 26, 2026

sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. "_OAuthSession" creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue.

Severity Score

Related Resources (6)

https://github.com/sigstore/sigstore-python
https://nvd.nist.gov/vuln/detail/CVE-2026-24408
https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0
https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr
https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa
https://www.mend.io/vulnerability-database/CVE-2026-24408

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

Top Fix

icon

Upgrade Version

Upgrade to version sigstore - 4.2.0;https://github.com/sigstore/sigstore-python.git - v4.2.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us