PT-2026-31010 · Google · Cosign

Kodareef5

Published

2026-04-07

Updated

2026-06-11

CVE-2026-39395

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Cosign versions prior to 3.0.6 and prior to 2.6.3

Description Cosign, a tool for code signing and transparency for containers and binaries, had a flaw in verify-blob-attestation where it could incorrectly report a successful verification (“Verified OK”) for attestations containing malformed payloads or mismatched predicate types. This occurred due to a logic error in predicate type validation for older bundle formats and a complete bypass of predicate type validation for newer bundle formats.

Recommendations Update to version 3.0.6 or later. Update to version 2.6.3 or later.

Fix

Improper Check for Exceptional Conditions

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-754

Related Identifiers

BIT-COSIGN-2026-39395

CVE-2026-39395

GHSA-W6C6-C85G-MMV6

OPENSUSE-SU-2026:10753-1

SUSE-SU-2026:2365-1

Affected Products

Cosign

PT-2026-31010 · Google · Cosign

CVE-2026-39395

Weakness Enumeration

Related Identifiers

Affected Products

References · 17