High severityNVD Advisory· Published Mar 10, 2026· Updated Mar 11, 2026
sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest
CVE-2026-31830
Description
sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifier#verify does not propagate the VerificationFailure returned by verify_in_toto when the artifact digest does not match the digest in the in-toto attestation subject. As a result, verification of DSSE bundles containing in-toto statements returns VerificationSuccess regardless of whether the artifact matches the attested subject. This vulnerability is fixed in 0.2.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sigstoreRubyGems | < 0.2.3 | 0.2.3 |
Affected products
2Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.