2428445 – (CVE-2026-22703) CVE-2026-22703 github.com/sigstore/cosign: Cosign verification accepts any valid Rekor entry under certain conditions

Bug 2428445 (CVE-2026-22703) - CVE-2026-22703 github.com/sigstore/cosign: Cosign verification accepts any valid Rekor entry under certain conditions

Summary: CVE-2026-22703 github.com/sigstore/cosign: Cosign verification accepts any va...

Keywords:
Status:	NEW
Alias:	CVE-2026-22703
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2429305 2429306 2429307 2429308 2429309 2429310
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-10 07:01 UTC by OSIDB Bzimport
Modified:	2026-04-30 04:17 UTC (History)
CC List:	19 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-01-10 07:01:56 UTC

Cosign provides code signing and transparency for containers and binaries. Prior to versions 2.6.2 and 3.0.4, Cosign bundle can be crafted to successfully verify an artifact even if the embedded Rekor entry does not reference the artifact's digest, signature or public key. When verifying a Rekor entry, Cosign verifies the Rekor entry signature, and also compares the artifact's digest, the user's public key from either a Fulcio certificate or provided by the user, and the artifact signature to the Rekor entry contents. Without these comparisons, Cosign would accept any response from Rekor as valid. A malicious actor that has compromised a user's identity or signing key could construct a valid Cosign bundle by including any arbitrary Rekor entry, thus preventing the user from being able to audit the signing event. This issue has been patched in versions 2.6.2 and 3.0.4.

Note You need to log in before you can comment on or make changes to this bug.