CVE-2026-24117

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Rekor versions 1.4.3 and below

Description Rekor is a software supply chain transparency log. A Server-Side Request Forgery (SSRF) exists in versions 1.4.3 and below due to the /api/v1/index/retrieve endpoint supporting retrieval of a public key via a user-provided URL. The SSRF is limited to GET requests and does not allow for state modification or data exfiltration. An attacker could potentially probe an internal network through Blind SSRF.

Recommendations Disable the search endpoint with --enable retrieve api=false.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

AZL-76446

AZL-76542

AZL-76547

AZL-76608

CLEANSTART-2026-GK29346

CLEANSTART-2026-HF07497

CLEANSTART-2026-WB12909

CLEANSTART-2026-WN01990

CVE-2026-24117

GHSA-4C4X-JM2X-PF9J

GO-2026-4355

OPENSUSE-SU-2026:10127-1

SUSE-SU-2026:0403-1

Affected Products

Rekor

CVE-2026-24117

Weakness Enumeration

Related Identifiers

Affected Products

References · 227