Skip to main content

Suse CVE-2026-39984

MEDIUM
Improper Certificate Validation (CWE-295)
2026-04-14 https://github.com/sigstore/timestamp-authority GHSA-xm5m-wgh2-rrg3
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch released
Apr 14, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 14, 2026 - 01:22 vuln.today
Analysis Generated
Apr 14, 2026 - 01:15 vuln.today
CVE Published
Apr 14, 2026 - 01:01 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

Authorization bypass via certificate bag manipulation in sigstore/timestamp-authority verifier

An authorization bypass vulnerability exists in sigstore/timestamp-authority verifier (timestamp-authority/v2/pkg/verification): VerifyTimestampResponse function correctly verifies the certificate chain but when the TSA specific constraints are verified in VerifyLeafCert, the first non-CA certificate from the PKCS#7 certificate bag is used instead of the leaf certificate from the certificate chain. An attacker can exploit this by prepending a forged certificate to the certificate bag while the message is signed with an authorized key. The library validates the signature using the one certificate but performs authorization checks on the another, allowing an attacker to bypass some authorization controls.

This vulnerability does not apply to timestamp-authority service, only to users of timestamp-authority/v2/pkg/verification package.

This vulnerability does not apply to sigstore-go even though it is a user of timestamp-authority/v2/pkg/verification: Providing TSACertificate option to VerifyTimestampResponse fully mitigates the issue.

Patches

The issue will be fixed in timestamp-authority 2.0.6

Workarounds

Users of VerifyTimestampResponse can use the TSACertificate option to specify the exact certificate they expect to be used: this fully mitigates the issue.

References

This issue was found after reading CVE-2026-33753 / GHSA-3xxc-pwj6-jgrj (originally reported by @Jaynornj and @Pr00fOf3xpl0it)

AnalysisAI

Authorization bypass in sigstore/timestamp-authority verifier allows attackers to prepend forged certificates to PKCS#7 certificate bags, causing the library to validate signatures with one certificate while performing authorization checks on another. The vulnerability affects the VerifyTimestampResponse function in timestamp-authority/v2/pkg/verification, enabling attackers to bypass authorization controls on timestamp verification. This impacts only library consumers, not the timestamp-authority service itself, and sigstore-go is unaffected due to its use of the TSACertificate mitigation option. EPSS 5.5, actively exploitable via local interaction.

Technical ContextAI

The vulnerability resides in the sigstore/timestamp-authority Go package, specifically in the certificate chain verification logic. The VerifyTimestampResponse function correctly validates the PKCS#7 signature chain but incorrectly selects the verification certificate from the certificate bag during authorization enforcement. Instead of using the verified leaf certificate from the validated chain, the code selects the first non-CA certificate from the certificate bag, allowing an attacker to exploit a mismatch between signature validation (correct certificate) and authorization checks (wrong certificate). This is a certificate identity confusion issue (CWE-295: Improper Certificate Validation) where the library fails to consistently use the same certificate for both cryptographic validation and policy enforcement. The Go package identifier is pkg:go/github.com_sigstore_timestamp-authority_v2.

RemediationAI

Vendors should upgrade to timestamp-authority 2.0.6 or later, which fixes the certificate selection logic in the VerifyTimestampResponse function. For users unable to immediately upgrade, apply the workaround by explicitly providing the TSACertificate option when calling VerifyTimestampResponse-this fully mitigates the authorization bypass by ensuring the correct certificate is used for both signature validation and authorization checks. Review advisory details at https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-xm5m-wgh2-rrg3 for comprehensive remediation guidance and confirmation that your deployment uses the vulnerable code path.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

CVE-2026-39984 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy