Identity Crisis: Bypassing OIDC Checks in Sigstore Python (CVE-2026-24408)
Vulnerability ID: CVE-2026-24408
CVSS Score: 6.1
Published: 2026-01-26
A critical flaw in the Sigstore Python client's OpenID Connect implementation allows attackers to force victims to sign software artifacts using the attacker's identity. This 'Login CSRF' vulnerability undermines the core promise of software supply chain provenance by allowing identity misbinding.
TL;DR
The sigstore-python client failed to verify the state parameter during OIDC authentication callbacks. This allowed attackers to perform a Localhost CSRF attack, feeding their own authorization codes to a victim's signing process. As a result, a victim could unknowingly sign code with an attacker's identity, creating falsified provenance records.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-352 (CSRF)
- CVSS v3.1: 6.1 (Medium)
- Attack Vector: Network (Localhost CSRF)
- Impact: Identity Misbinding
- EPSS Score: 0.00039
- Exploit Status: PoC Available
Affected Systems
- sigstore-python < 4.2.0
- Python applications importing sigstore.oidc
-
sigstore-python: < 4.2.0 (Fixed in:
4.2.0)
Code Analysis
Commit: 5e77497
Fix OAuth state validation to prevent CSRF
if server.auth_response["state"][0] != server.oauth_session.state:
raise IdentityError("OAuth state mismatch")
Exploit Details
- Theory: Localhost Login-CSRF via malicious JavaScript fetching local port.
Mitigation Strategies
- Upgrade sigstore-python to version 4.2.0+
- Implement strict state validation in all custom OIDC consumers
- Isolate signing environments to prevent browser-based local network attacks
Remediation Steps:
- Run
pip install --upgrade sigstoreto install the patched version. - Verify the installation with
pip show sigstoreensuring version is >= 4.2.0. - Audit any CI/CD pipelines using the python client to ensure they use the latest version.
References
Read the full report for CVE-2026-24408 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)