Bug 2432218 (CVE-2026-24117) - CVE-2026-24117 github.com/sigstore/rekor: Rekor Server-Side Request Forgery (SSRF)
Summary: CVE-2026-24117 github.com/sigstore/rekor: Rekor Server-Side Request Forgery (...
Keywords:
Status: NEW
Alias: CVE-2026-24117
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2433529 2433530 2433532 2433534 2433535 2433536 2433538 2433539 2433540 2433541 2433542 2433543 2433544 2433545 2433547 2433548 2433549 2433550 2433551 2433552 2433528 2433531 2433533 2433537 2433546
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-22 23:03 UTC by OSIDB Bzimport
Modified: 2026-01-27 20:56 UTC (History)
66 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-22 23:03:08 UTC 
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with --enable_retrieve_api=false.
Note You need to log in before you can comment on or make changes to this bug.