Vulnerability Details CVE-2026-24408
sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 0.6%
CVSS Severity
References
Products affected by CVE-2026-24408
-
cpe:2.3:a:linuxfoundation:sigstore-python:*