Skip to main content

Rekor

4 CVEs product

Monthly

CVE-2026-24117 Go MEDIUM PATCH This Month

Rekor versions 1.4.3 and earlier contain a server-side request forgery (SSRF) vulnerability in the /api/v1/index/retrieve endpoint that allows unauthenticated remote attackers to probe internal networks through blind SSRF attacks by supplying arbitrary URLs for public key retrieval. While the vulnerability cannot directly exfiltrate data or modify state since responses are not returned and only GET requests are supported, it enables reconnaissance of internal infrastructure. The issue is patched in version 1.5.0, or can be mitigated by disabling the retrieve API with --enable_retrieve_api=false.

SSRF Rekor Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-23831 Go MEDIUM PATCH This Month

Rekor versions 1.4.3 and below are vulnerable to denial of service through a null pointer dereference when processing malformed cose/v0.0.1 entries with empty spec.message fields. An unauthenticated remote attacker can trigger a panic in the Rekor process by sending a specially crafted entry, resulting in a 500 error response and temporary service disruption, though the thread recovery mechanism limits availability impact. The vulnerability has been patched in version 1.5.0.

Denial Of Service Rekor Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2023-33199 Go MEDIUM PATCH This Month

Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Rekor
NVD GitHub
CVSS 3.1
5.3
EPSS
0.7%
CVE-2023-30551 Go HIGH PATCH This Week

Rekor is an open source software supply chain transparency log. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Rekor
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Rekor versions 1.4.3 and earlier contain a server-side request forgery (SSRF) vulnerability in the /api/v1/index/retrieve endpoint that allows unauthenticated remote attackers to probe internal networks through blind SSRF attacks by supplying arbitrary URLs for public key retrieval. While the vulnerability cannot directly exfiltrate data or modify state since responses are not returned and only GET requests are supported, it enables reconnaissance of internal infrastructure. The issue is patched in version 1.5.0, or can be mitigated by disabling the retrieve API with --enable_retrieve_api=false.

SSRF Rekor Red Hat +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Rekor versions 1.4.3 and below are vulnerable to denial of service through a null pointer dereference when processing malformed cose/v0.0.1 entries with empty spec.message fields. An unauthenticated remote attacker can trigger a panic in the Rekor process by sending a specially crafted entry, resulting in a 500 error response and temporary service disruption, though the thread recovery mechanism limits availability impact. The vulnerability has been patched in version 1.5.0.

Denial Of Service Rekor Red Hat +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Rekor
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Rekor is an open source software supply chain transparency log. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Rekor
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy