CVE-2026-39984

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Sigstore Timestamp Authority versions prior to 2.0.6

Description An authorization bypass exists in the timestamp-authority/v2/pkg/verification package. The VerifyTimestampResponse() function correctly verifies the certificate chain signature, but the VerifyLeafCert() function uses the first non-CA certificate from the PKCS#7 certificate bag instead of the leaf certificate from the verified chain. An attacker can exploit this by prepending a forged certificate to the certificate bag while the message is signed with an authorized key, causing the library to validate the signature against one certificate but perform authorization checks against another.

Recommendations Update to version 2.0.6. As a temporary workaround, users of VerifyTimestampResponse() can use the TSACertificate option to specify the exact certificate they expect to be used.

Fix

Improper Certificate Validation

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-295

Related Identifiers

CLEANSTART-2026-BD19566

CLEANSTART-2026-EP10142

CLEANSTART-2026-FA95643

CLEANSTART-2026-HI89495

CLEANSTART-2026-NS33477

CLEANSTART-2026-OF37807

CLEANSTART-2026-TX25294

CVE-2026-39984

GHSA-XM5M-WGH2-RRG3

OPENSUSE-SU-2026:10651-1

OPENSUSE-SU-2026:10702-1

Affected Products

Sigstore Timestamp Authority

CVE-2026-39984

Weakness Enumeration

Related Identifiers

Affected Products

References · 168