CSRF in Linuxfoundation Sigstore-python
CVE-2026-24408
sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state"…
Vulnerability class: CSRF (Cross-Site Request Forgery)
EPSS: 0.002 (5.4th percentile) — read the EPSS interpretation.
Affected products
- Linuxfoundation Sigstore-python
- Sigstore Sigstore-python — versions < 4.2.0
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM, Vendor Advisory)
- security-advisories@github.com (Patch, x_refsource_MISC)
- security-advisories@github.com (Product, x_refsource_MISC, Release Notes)