CVE-2026-44544

Name of the Vulnerable Software and Affected Versions gittuf versions prior to 0.14.0

Description An attacker with push access to the Reference State Log (RSL) can roll back the current policy to any previous policy trusted by the current set of root keys. This occurs because gittuf determines the policy to load by inspecting the RSL and validates new policies by checking if their root metadata is signed by the required threshold of the current policy's root keys. Consequently, an attacker can create a new RSL entry referencing an old, trusted policy to revert the system to a chosen state. This attack is limited to policies still trusted by the most recent root keys and requires the attacker or the hosting forge to have push access to the RSL.

Recommendations Update to version 0.14.0 or later. After upgrading, a root of trust user or policy administrator must run the gittuf trust increment-version or gittuf policy increment-version command to add the monotonically increasing number field to the metadata.