Medium severity4.3NVD Advisory· Published Apr 7, 2026· Updated Apr 15, 2026
CVE-2026-39395
CVE-2026-39395
Description
Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/sigstore/cosignGo | >= 3.0.0, < 3.0.6 | 3.0.6 |
github.com/sigstore/cosignGo | < 2.6.3 | 2.6.3 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-w6c6-c85g-mmv6ghsaADVISORY
- github.com/sigstore/cosign/security/advisories/GHSA-w6c6-c85g-mmv6nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-39395ghsaADVISORY
News mentions
0No linked articles in our index yet.