{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/sigstore/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Fulcio (\u003c= 1.8.5)"],"_cs_severities":["high"],"_cs_tags":["supply-chain-security","kubernetes","oidc","ssrf","jwks","cve"],"_cs_type":"advisory","_cs_vendors":["Sigstore"],"content_html":"\u003cp\u003eThree critical security vulnerabilities (CVE-2026-49478) have been identified in the OIDC Discovery client within Sigstore Fulcio versions up to and including 1.8.5. Fulcio, a certificate authority for Sigstore, is crucial for verifying the authenticity of software artifacts in the supply chain. Prior to this fix, Fulcio's OIDC discovery process could be exploited by a malicious or compromised OIDC issuer. This allowed attackers to redirect Fulcio's internal HTTP requests to internal systems, leading to blind Server-Side Request Forgery (SSRF). Furthermore, attackers could poison Fulcio's verifier cache by substituting legitimate JSON Web Key Sets (JWKS) with attacker-controlled ones, enabling the forging of signatures. Compounding these issues, Fulcio's integration with Kubernetes meant ServiceAccount tokens could be leaked to external hosts during OIDC discovery, granting attackers potential access to Kubernetes cluster resources. These flaws severely undermine the integrity and security guarantees provided by Fulcio.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker either controls a malicious OIDC issuer or compromises a legitimate one configured for Fulcio.\u003c/li\u003e\n\u003cli\u003eFulcio, during its OIDC discovery process, initiates a request to fetch metadata (\u003ccode\u003e/.well-known/openid-configuration\u003c/code\u003e) from the attacker-controlled OIDC issuer.\u003c/li\u003e\n\u003cli\u003eThe malicious OIDC issuer responds with an HTTP 3xx redirect to an internal IP address or hostname within Fulcio's network, such as the Kubernetes API server (\u003ccode\u003ehttps://kubernetes.default.svc\u003c/code\u003e), triggering a blind SSRF.\u003c/li\u003e\n\u003cli\u003eSimultaneously, the attacker-controlled issuer can provide a \u003ccode\u003ejwks_uri\u003c/code\u003e in its discovery response that points to an endpoint under the attacker's control.\u003c/li\u003e\n\u003cli\u003eFulcio, following the malicious \u003ccode\u003ejwks_uri\u003c/code\u003e, fetches the attacker's JSON Web Key Set (JWKS) and caches it, effectively poisoning its internal verifier cache.\u003c/li\u003e\n\u003cli\u003eWith the poisoned cache, the attacker can now forge signatures for software artifacts that Fulcio will validate as legitimate, bypassing critical integrity checks in the supply chain.\u003c/li\u003e\n\u003cli\u003eDuring these redirected HTTP requests and JWKS fetches, Fulcio inappropriately attaches its mounted Kubernetes ServiceAccount token to outbound requests directed towards the external, attacker-controlled hosts.\u003c/li\u003e\n\u003cli\u003eThis leakage exposes the Kubernetes ServiceAccount token to the attacker, potentially enabling further reconnaissance, privilege escalation, and direct access to the Kubernetes cluster API and its resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe identified vulnerabilities have severe consequences across several domains. The blind SSRF allows attackers to probe and potentially interact with internal network services and infrastructure that would otherwise be inaccessible, potentially revealing sensitive information or enabling further internal attacks. JWKS substitution directly compromises the integrity verification process, allowing attackers to sign and distribute malicious software that appears legitimate, undermining the trust model of Sigstore and supply chain security. Most critically, the leakage of Kubernetes ServiceAccount tokens provides attackers with credentials that can be used to gain unauthorized access to the Kubernetes cluster. This can lead to full cluster compromise, data exfiltration, resource manipulation, and deployment of malicious workloads, affecting a wide range of organizations using Fulcio for artifact signing and verification, particularly those deployed within Kubernetes environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade immediately\u003c/strong\u003e: Patch affected Sigstore Fulcio instances to version 1.8.6 or newer to address CVE-2026-49478.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor application logs\u003c/strong\u003e: Review application logs for Fulcio's OIDC discovery process for unusual HTTP redirects or fetches from unexpected \u003ccode\u003ejwks_uri\u003c/code\u003e endpoints, although the SSRF is blind and direct detection may be challenging.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview Kubernetes ServiceAccount usage\u003c/strong\u003e: Audit the permissions granted to the Kubernetes ServiceAccounts used by Fulcio to ensure they adhere to the principle of least privilege, minimizing the impact of potential token leakage as described in CVE-2026-49478.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T13:03:14Z","date_published":"2026-07-03T13:03:14Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sigstore-fulcio-oidc-ssrf-jwks-cve-2026-49478/","summary":"A high-severity vulnerability (CVE-2026-49478) in Sigstore Fulcio's OIDC discovery client allows blind Server-Side Request Forgery (SSRF) via cross-host redirects, facilitates JWKS substitution for cache poisoning, and causes Kubernetes ServiceAccount token leakage to external attackers, potentially compromising supply chain integrity and cluster resources.","title":"Sigstore Fulcio Vulnerabilities: OIDC Discovery Redirect Leads to SSRF, JWKS Substitution, and Kubernetes Token Leakage (CVE-2026-49478)","url":"https://feed.craftedsignal.io/briefs/2026-07-sigstore-fulcio-oidc-ssrf-jwks-cve-2026-49478/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["npm/sigstore"],"_cs_severities":["high"],"_cs_tags":["vulnerability","supply-chain","software-security","javascript","npm","code-signing"],"_cs_type":"advisory","_cs_vendors":["Sigstore"],"content_html":"\u003cp\u003eA significant security vulnerability, identified as CVE-2026-48815, affects the \u003ccode\u003enpm/sigstore\u003c/code\u003e JavaScript library in versions up to and including 4.1.0. This flaw stems from a critical oversight in the library's certificate verification logic: while the public \u003ccode\u003esigstore.verify()\u003c/code\u003e API accepts the \u003ccode\u003ecertificateOIDs\u003c/code\u003e option, which is intended to enforce specific object identifiers (OIDs) within a certificate's extensions, this constraint is silently dropped during policy construction. Consequently, applications that rely on \u003ccode\u003ecertificateOIDs\u003c/code\u003e to restrict accepted certificates for artifact signing are left without this crucial protection. An attacker could exploit this by presenting a certificate lacking the expected OIDs, yet still satisfying other verification checks, thereby bypassing a key policy enforcement mechanism and potentially enabling the trust of unauthorized or malicious software artifacts in a supply chain.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker crafts malicious artifact\u003c/strong\u003e: An attacker creates a malicious software package or artifact intended for distribution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker obtains unauthorized signing certificate\u003c/strong\u003e: The attacker acquires a certificate that meets general validity criteria (e.g., correct issuer, valid dates) but \u003cem\u003elacks\u003c/em\u003e specific critical OID extensions that the target application's \u003ccode\u003esigstore\u003c/code\u003e configuration \u003cem\u003eintends\u003c/em\u003e to enforce via \u003ccode\u003ecertificateOIDs\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker signs malicious artifact\u003c/strong\u003e: The attacker signs the malicious artifact using their unauthorized certificate.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTarget system attempts to verify artifact\u003c/strong\u003e: A target system, using a vulnerable \u003ccode\u003enpm/sigstore\u003c/code\u003e library (\u0026lt;= 4.1.0) and configured with \u003ccode\u003ecertificateOIDs\u003c/code\u003e to enforce specific OID policies, attempts to verify the signed artifact.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003e\u003ccode\u003esigstore\u003c/code\u003e silently drops OID constraints\u003c/strong\u003e: Due to the vulnerability, the \u003ccode\u003enpm/sigstore\u003c/code\u003e library's \u003ccode\u003ecreateVerificationPolicy()\u003c/code\u003e function silently ignores the \u003ccode\u003ecertificateOIDs\u003c/code\u003e parameter when constructing the verification policy.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArtifact falsely deemed legitimate\u003c/strong\u003e: The signed malicious artifact passes \u003ccode\u003esigstore\u003c/code\u003e verification because the critical OID extension check, which should have rejected the unauthorized certificate, was never applied.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious artifact executed/deployed\u003c/strong\u003e: The target system proceeds to trust and potentially execute or deploy the malicious artifact, believing it to be legitimately signed and compliant with its security policies.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eApplications integrating the \u003ccode\u003enpm/sigstore\u003c/code\u003e library that depend on the \u003ccode\u003ecertificateOIDs\u003c/code\u003e feature for robust certificate policy enforcement are rendered vulnerable to supply chain attacks. This vulnerability means that unauthorized or non-compliant certificates, which should be explicitly rejected based on missing or incorrect OID extensions, will instead be accepted by the verification process. The direct consequence is that organizations relying on this library for software supply chain integrity could inadvertently trust and deploy malicious artifacts. This could lead to a wide range of impacts, including system compromise, data exfiltration, or the introduction of backdoors, undermining the entire purpose of artifact signing and verification. The exact number of affected organizations is difficult to ascertain, but any user of \u003ccode\u003enpm/sigstore\u003c/code\u003e up to version 4.1.0 configured with \u003ccode\u003ecertificateOIDs\u003c/code\u003e is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-48815 immediately\u003c/strong\u003e: Upgrade \u003ccode\u003enpm/sigstore\u003c/code\u003e to a patched version (4.1.1 or later) to address CVE-2026-48815, ensuring \u003ccode\u003ecertificateOIDs\u003c/code\u003e are correctly enforced during verification.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview \u003ccode\u003esigstore\u003c/code\u003e configurations\u003c/strong\u003e: Audit all \u003ccode\u003esigstore.verify()\u003c/code\u003e and \u003ccode\u003ecreateVerifier()\u003c/code\u003e calls in your codebase to confirm that certificate validation logic correctly identifies and rejects certificates that do not meet expected OID constraints, even after patching.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:37:11Z","date_published":"2026-07-03T12:37:11Z","id":"https://feed.craftedsignal.io/briefs/2026-07-sigstore-oid-bypass/","summary":"A high-severity vulnerability (CVE-2026-48815) in the `npm/sigstore` library (versions \u003c= 4.1.0) causes the `certificateOIDs` verification constraint to be silently ignored, allowing applications to accept unauthorized certificates that should have been rejected based on extension policy, which could lead to supply chain attacks by trusting malicious artifacts.","title":"Sigstore `certificateOIDs` Verification Bypass Vulnerability (CVE-2026-48815)","url":"https://feed.craftedsignal.io/briefs/2026-07-sigstore-oid-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Sigstore","version":"https://jsonfeed.org/version/1.1"}