What is CVE-2026-24122?

CVE-2026-24122 is a low-severity vulnerability in Sigstore Cosign, classified under Improper Certificate Validation. CVSS score: 3.7/10. Published 2026-02-19.

How severe is CVE-2026-24122?

Low severity. CVSS v3 base score is 3.7 out of 10.

Vulnerability in Sigstore Cosign

CVE-2026-24122

Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be considered valid during verification even if th…

Vulnerability class: Improper Certificate Validation

EPSS: 0.000 (1.5th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 3.7 (Low). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N.

Affected products

Sigstore Cosign — versions < 3.0.5

Weakness classification (CWE)

CWE-295 — Improper Certificate Validation

References

https://github.com/sigstore/cosign/security/advisories/GHSA-wfqv-66vq-46rm (x_refsource_CONFIRM)
https://github.com/sigstore/cosign/commit/3c9a7363f563db76d78e2de2cabd945450f3781e (x_refsource_MISC)
https://github.com/sigstore/cosign/releases/tag/v3.0.5 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-24122?: CVE-2026-24122 is a low-severity vulnerability in Sigstore Cosign, classified under Improper Certificate Validation. CVSS score: 3.7/10. Published 2026-02-19.
How severe is CVE-2026-24122?: Low severity. CVSS v3 base score is 3.7 out of 10.