Skip to main content

gittuf CVE-2026-44544

| EUVDEUVD-2026-30348 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-07 https://github.com/gittuf/gittuf GHSA-vxvc-cg7j-rwqj
4.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
CVSS changed
May 14, 2026 - 18:22 NVD
4.9 (MEDIUM)
Source Code Evidence Fetched
May 07, 2026 - 04:00 vuln.today
Analysis Generated
May 07, 2026 - 04:00 vuln.today
CVE Published
May 07, 2026 - 03:34 nvd
MEDIUM

DescriptionGitHub Advisory

Summary

An attacker with push access to gittuf's Reference State Log (RSL) can roll back the current policy to any previous policy trusted by the current set of root keys.

Impact

gittuf determines the policy to load by inspecting the RSL. Except for the very first policy (which is automatically trusted given gittuf's TOFU model, or verified against manually specified keys), whenever an RSL entry that points to a new policy is encountered, gittuf validates that this policy is trusted. This is done by checking that the new policy’s root metadata is signed by the required threshold of the current policy's root keys.

Because of this, an attacker with push access to the RSL may create a new entry that references an old policy (that is trusted by the most recent policy's set of root keys), thereby rolling back gittuf's policy to the attacker's chosen state.

Note that the attacker cannot roll back the policy to one that would no longer be trusted by the most recent policy's root keys. As an example, say that Policy A's root keys were for Alice and Bob with a threshold of two, and then Policy B replaced Bob with Carol, with a threshold of two required. An attacker would not be able to roll back the policy to policy A, because it was signed by Alice and Bob, not Alice and Carol.

If you host your repository on a forge such as GitHub, GitLab, Bitbucket, etc., and only certain people are allowed to push to the RSL (e.g. only maintainers of your project have push access to the repository, and all other contributions must be done via pull request), then only those users with push access can perform the attack, or the forge itself.

Fix

gittuf version v0.14.0 introduces a monotonically increasing number to all policy metadata (not to be confused with the metadata version, which dictates the features supported by the metadata). This number is incremented whenever a gittuf client of version v0.14.0 or greater updates the metadata or invokes a patch command to add this field.

During policy verification, gittuf compares the monotonically increasing number of the new policy it encounters in the RSL to the current policy. If any file in the policy (e.g. root of trust, primary policy file, or delegated policy file) has this number, gittuf will check that it increases by one any time the respective file is changed.

Resolution

Upgrade gittuf and Apply Metadata Patch

gittuf strongly recommends users upgrade to the latest version to remediate this vulnerability. Specifically, gittuf version v0.14.0 (and above) are patched with respect to this vulnerability. All users who use gittuf to verify the repository or update its policy metadata must upgrade to prevent this attack.

After a consuming application applies the upgrade, a root of trust user or policy administrator must run:

gittuf trust increment-version

or:

gittuf policy increment-version

to add the monotonically increasing number field to the metadata (see [Fix](#fix) above).

Check for Rollback Attack Attempts

Because this attack requires the attacker to add an entry to the RSL, and because gittuf stores the RSL inside the repository, this attack cannot be performed without leaving evidence behind (in this case, the malicious RSL entry). To check for whether this attack was performed on your repository, run:

gittuf rsl log --ref refs/gittuf/policy

All RSL entries that record new policy states for gittuf should be displayed. There should be one RSL entry every time a legitimate, new policy was applied. Should users find an RSL entry which points to an older policy state, their repository has been compromised.

Credits

gittuf thanks Andrew Nesbitt (@andrew) for finding and responsibly disclosing this vulnerability.

AnalysisAI

Policy rollback vulnerability in gittuf versions up to 0.13.1 allows attackers with push access to the Reference State Log (RSL) to downgrade repository policies to previously signed versions, bypassing security controls. An attacker cannot roll back to policies that would be unsigned by the current root keys, but can selectively choose any valid prior policy state. Vendor-released patch: gittuf v0.14.0 introduces monotonically increasing version numbers to all policy metadata to prevent rollback attacks.

Technical ContextAI

gittuf is a tool that verifies Git repository integrity by maintaining a Reference State Log (RSL) containing signed policy metadata. The RSL is the canonical source for determining which policy to enforce. When gittuf encounters an RSL entry pointing to a new policy, it validates that the policy's root metadata is signed by the required threshold of the current policy's root keys. The vulnerability stems from the lack of forward-verification: gittuf does not ensure that policies progress monotonically, allowing an attacker with RSL write access to revert to any historically valid policy. The fix (CWE-639: Authorization Bypass Through User-Controlled Key) introduces a monotonically increasing integer version field to all policy metadata files (root of trust, primary policy, delegated policies). During policy verification, gittuf now checks that this version increments by exactly one whenever the corresponding file changes, making it cryptographically impossible to present an old policy as a new one without detection.

RemediationAI

Upgrade gittuf to version 0.14.0 or later immediately. After upgrading, all users with root of trust or policy administrator privileges must run either gittuf trust increment-version (for root metadata) or gittuf policy increment-version (for primary or delegated policy files) to add the monotonically increasing version field to the metadata. This command increments the version without making other changes and must be executed once per policy file to remediate existing repositories. To verify whether your repository was attacked before patching, run gittuf rsl log --ref refs/gittuf/policy and examine the RSL entries: legitimate entries should reference progressively newer policies, not older ones. If an older policy is referenced by a newer RSL entry, the repository has been compromised and forensic investigation is needed. Patch reference: https://github.com/gittuf/gittuf/commit/dd76efa505f9137a4a9a625c5ac67b333365a1b8.

More in Gitlab

View all
CVE-2023-7028 CRITICAL POC
10.0 Jan 12

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.

CVE-2013-4490 MEDIUM POC
6.5 May 13

The SSH key upload feature (lib/gitlab_keys.rb) in gitlab-shell before 1.7.3, as used in GitLab 5.0 before 5.4.1 and 6.x

CVE-2021-22205 CRITICAL POC
10.0 Apr 23

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. Rated critical severity (CVSS 10

CVE-2022-2992 CRITICAL POC
9.9 Oct 17

A vulnerability in GitLab CE/EE affecting all versions from 11.10 prior to 15.1.6, 15.2 to 15.2.4, 15.3 to 15.3.2 allows

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-1162 CRITICAL POC
9.8 Apr 04

A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. Rated critical severity (CVSS 9.8)

CVE-2022-0735 CRITICAL POC
9.8 Mar 28

An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions star

CVE-2021-22175 CRITICAL POC
9.8 Jun 11

When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab af

CVE-2021-22203 CRITICAL POC
9.8 Apr 02

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7.9 before 13.8.7, all versions sta

CVE-2019-15741 CRITICAL POC
9.8 Sep 16

An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2019-6960 CRITICAL POC
9.8 Sep 09

An issue was discovered in GitLab Community and Enterprise Edition 9.x, 10.x, and 11.x before 11.5.8, 11.6.x before 11.6

Share

CVE-2026-44544 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy