CVE-2026-39984: CWE-295: Improper Certificate Validation in sigstore timestamp-authority
CVE-2026-39984 is a medium severity vulnerability in sigstore timestamp-authority versions 2. 0. 5 and below. It involves improper certificate validation in the VerifyTimestampResponse function, where authorization checks are performed against a different certificate than the one used to verify the signature. This flaw allows an attacker to bypass authorization by prepending a forged certificate to the certificate bag. The vulnerability affects only the timestamp-authority/v2/pkg/verification package and not the timestamp-authority service itself or sigstore-go. The issue is fixed in version 2. 0. 6.
AI Analysis
Technical Summary
The vulnerability in sigstore timestamp-authority (CVE-2026-39984) arises from improper certificate validation in the VerifyTimestampResponse function. While the certificate chain signature is correctly verified, the TSA-specific constraint checks in VerifyLeafCert incorrectly use the first non-CA certificate from the PKCS#7 certificate bag instead of the leaf certificate from the verified chain. An attacker can exploit this by inserting a forged certificate at the start of the certificate bag, causing the system to validate the signature against an authorized certificate but perform authorization checks against the forged one. This leads to an authorization bypass. The flaw affects only the verification package and was resolved in version 2.0.6.
Potential Impact
The vulnerability allows an attacker to bypass authorization checks in the verification package of sigstore timestamp-authority, potentially enabling unauthorized actions related to timestamp verification. There is no impact on the timestamp-authority service itself or the sigstore-go library. The CVSS score is 5.5 (medium severity), indicating a moderate impact with no confidentiality or availability impact but a high integrity impact.
Mitigation Recommendations
Upgrade to sigstore timestamp-authority version 2.0.6 or later, where this vulnerability is fixed. Since the issue is resolved in this version, applying the official fix is the recommended mitigation. No other temporary or workaround measures are indicated.
CVE-2026-39984: CWE-295: Improper Certificate Validation in sigstore timestamp-authority
Description
CVE-2026-39984 is a medium severity vulnerability in sigstore timestamp-authority versions 2. 0. 5 and below. It involves improper certificate validation in the VerifyTimestampResponse function, where authorization checks are performed against a different certificate than the one used to verify the signature. This flaw allows an attacker to bypass authorization by prepending a forged certificate to the certificate bag. The vulnerability affects only the timestamp-authority/v2/pkg/verification package and not the timestamp-authority service itself or sigstore-go. The issue is fixed in version 2. 0. 6.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in sigstore timestamp-authority (CVE-2026-39984) arises from improper certificate validation in the VerifyTimestampResponse function. While the certificate chain signature is correctly verified, the TSA-specific constraint checks in VerifyLeafCert incorrectly use the first non-CA certificate from the PKCS#7 certificate bag instead of the leaf certificate from the verified chain. An attacker can exploit this by inserting a forged certificate at the start of the certificate bag, causing the system to validate the signature against an authorized certificate but perform authorization checks against the forged one. This leads to an authorization bypass. The flaw affects only the verification package and was resolved in version 2.0.6.
Potential Impact
The vulnerability allows an attacker to bypass authorization checks in the verification package of sigstore timestamp-authority, potentially enabling unauthorized actions related to timestamp verification. There is no impact on the timestamp-authority service itself or the sigstore-go library. The CVSS score is 5.5 (medium severity), indicating a moderate impact with no confidentiality or availability impact but a high integrity impact.
Mitigation Recommendations
Upgrade to sigstore timestamp-authority version 2.0.6 or later, where this vulnerability is fixed. Since the issue is resolved in this version, applying the official fix is the recommended mitigation. No other temporary or workaround measures are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-08T00:01:47.628Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ded57682d89c981f20b4ac
Added to database: 4/15/2026, 12:01:58 AM
Last enriched: 4/15/2026, 12:17:00 AM
Last updated: 4/15/2026, 1:10:51 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.