GHSA-xm5m-wgh2-rrg3 · Severity: medium · Ecosystem: go — Sigstore Timestamp Authority has Improper Certificate Validation in verifier
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Versions 2.0.5 and below contain an authorization bypass vulnerability in the VerifyTimestampResponse function. VerifyTimestampResponse correctly verifies the certificate chain signature, but the TSA-specific constraint checks in VerifyLeafCert uses the first non-CA certificate from the PKCS#7 certificate bag instead of the leaf certificate from the verified chain. An attacker can exploit this by prepending a forged certificate to the certificate bag while the message is signed with an authorized key, causing the library to validate the signature against one certificate but perform authorization checks against another. This vulnerability only affects users of the timestamp-authority/v2/pkg/verification package and does not affect the timestamp-authority service itself or sigstore-go. The issue has been fixed in version 2.0.6.
Conclusion & alert: CVE-2026-39984 is rated Low Risk (22.5/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.10%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.01% | 0.10% | +0.09% |
| 2 | 2026-04-15 | — | 0.01% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.5 | 3.1 | MEDIUM |
|
1.8 | 3.6 | [email protected] |
GHSA-xm5m-wgh2-rrg3 · Severity: medium · Ecosystem: go — Sigstore Timestamp Authority has Improper Certificate Validation in verifier
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2026-39984 not yet assigned priority: Debian including 1 source packages (golang-github-sigstore-timestamp-authority), 3 status rows across 3 suites (forky, sid, trixie): resolved 2, open 1. | https://security-tracker.debian.org/tracker/CVE-2026-39984 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2026-39984 |
suse
|
medium | CVE-2026-39984 severity moderate: SUSE including 8 source package names (docker, docker-bash-completion, …), 89 product×package rows across 26 product lines (SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS, SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS, … (26 product lines)): Known Not Affected 89. | https://www.suse.com/security/cve/CVE-2026-39984/ |
ubuntu
|
medium | CVE-2026-39984 medium priority: Ubuntu including 1 source packages (golang-github-sigstore-timestamp-authority), 5 status rows across 5 suites (jammy, noble, questing, resolute, upstream): needs-triage 3, DNE 2. | https://ubuntu.com/security/CVE-2026-39984 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| linuxfoundation | sigstore_timestamp_authority | < 2.0.6 | cpe:2.3:a:linuxfoundation:sigstore_timestamp_authority:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/sigstore/timestamp-authority/releases/tag/v2.0.6 | Product Release Notes |
| https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-xm5m-wgh2-rrg3 | Mitigation Vendor Advisory |