Vendor
high
advisory
Sigstore Fulcio Vulnerabilities: OIDC Discovery Redirect Leads to SSRF, JWKS Substitution, and Kubernetes Token Leakage (CVE-2026-49478)
4 TTPsA high-severity vulnerability (CVE-2026-49478) in Sigstore Fulcio's OIDC discovery client allows blind Server-Side Request Forgery (SSRF) via cross-host redirects, facilitates JWKS substitution for cache poisoning, and causes Kubernetes ServiceAccount token leakage to external attackers, potentially compromising supply chain integrity and cluster resources.
Fulcio
supply-chain-security
kubernetes
oidc
ssrf
jwks
cve
4t
high
advisory
Sigstore `certificateOIDs` Verification Bypass Vulnerability (CVE-2026-48815)
A high-severity vulnerability (CVE-2026-48815) in the `npm/sigstore` library (versions <= 4.1.0) causes the `certificateOIDs` verification constraint to be silently ignored, allowing applications to accept unauthorized certificates that should have been rejected based on extension policy, which could lead to supply chain attacks by trusting malicious artifacts.
npm/sigstore
vulnerability
supply-chain
software-security
javascript
npm
code-signing