Vulnerability Details CVE-2026-24408
sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sends it as a parameter in the authentication request but the "state" in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 0.5%
CVSS Severity
References
Products affected by CVE-2026-24408
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.0.1
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.1.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.10.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.2.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.3.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.3.1
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.4.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.4.1
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.4.2
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.5.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.5.1
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.6.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.6.1
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.6.2
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.6.3
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.6.4
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.6.5
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.6.6
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.6.7
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.6.8
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.7.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.8.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.8.1
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.8.2
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.8.3
-
cpe:2.3:a:linuxfoundation:sigstore-python:0.9.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:1.0.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:1.1.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:1.1.1
-
cpe:2.3:a:linuxfoundation:sigstore-python:1.1.2
-
cpe:2.3:a:linuxfoundation:sigstore-python:2.0.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:2.0.1
-
cpe:2.3:a:linuxfoundation:sigstore-python:2.1.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:2.1.1
-
cpe:2.3:a:linuxfoundation:sigstore-python:2.1.2
-
cpe:2.3:a:linuxfoundation:sigstore-python:2.1.3
-
cpe:2.3:a:linuxfoundation:sigstore-python:2.1.4
-
cpe:2.3:a:linuxfoundation:sigstore-python:2.1.5
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.0.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.1.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.2.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.3.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.4.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.5.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.5.1
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.5.2
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.5.3
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.5.4
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.5.5
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.5.6
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.6.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.6.1
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.6.2
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.6.3
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.6.4
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.6.5
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.6.6
-
cpe:2.3:a:linuxfoundation:sigstore-python:3.6.7
-
cpe:2.3:a:linuxfoundation:sigstore-python:4.0.0
-
cpe:2.3:a:linuxfoundation:sigstore-python:4.1.0