PyPI: sigstore
CVE-2026-24408
Safety vulnerability ID: SFTY-20260126-12751
Safety legacy ID: pyup.io-85154
Affected versions of the sigstore package are vulnerable to Cross-Site Request Forgery (CSRF) due to missing validation of the OAuth “state” parameter returned in the authentication response. The sigstore _OAuthSession flow generates a unique state value and includes it in the OIDC/OAuth authentication request, but does not appear to cross-check that the state in the server response matches the original value.
Overview
sigstore CSRF possibility in OIDC authentication during signing
Advisory
Affected versions of the sigstore package are vulnerable to Cross-Site Request Forgery (CSRF) due to missing validation of the OAuth “state” parameter returned in the authentication response. The sigstore _OAuthSession flow generates a unique state value and includes it in the OIDC/OAuth authentication request, but does not appear to cross-check that the state in the server response matches the original value.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260126-12751/CVE-2026-24408
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24408
- https://github.com/advisories/GHSA-hm8f-75xx-w2vr
- https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr
- https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa
- https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0
- https://nvd.nist.gov/vuln/detail/CVE-2026-24408
- https://github.com/advisories/GHSA-hm8f-75xx-w2vr
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more