{"api_version":"1","generated_at":"2026-07-15T07:40:37+00:00","cve":"CVE-2026-48815","urls":{"html":"https://cve.report/CVE-2026-48815","api":"https://cve.report/api/cve/CVE-2026-48815.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-48815","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-48815"},"summary":{"title":"sigstore-js: `certificateOIDs` verification constraints are silently dropped and never enforced","description":"sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify() is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications relying on certificateOIDs to restrict which certificates may sign artifacts can accept unauthorized certificates. This issue is fixed in version 4.1.1.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-07-14 21:17:01","updated_at":"2026-07-14 21:17:01"},"problem_types":["CWE-347","CWE-347 CWE-347: Improper Verification of Cryptographic Signature"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/sigstore/sigstore-js/security/advisories/GHSA-52v5-jr5w-gjxr","name":"https://github.com/sigstore/sigstore-js/security/advisories/GHSA-52v5-jr5w-gjxr","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/sigstore/sigstore-js/releases/tag/sigstore%404.1.1","name":"https://github.com/sigstore/sigstore-js/releases/tag/sigstore%404.1.1","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/sigstore/sigstore-js/pull/1658","name":"https://github.com/sigstore/sigstore-js/pull/1658","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/sigstore/sigstore-js/commit/7845532f9d17f6f765363dbee82b01bd159fb52b","name":"https://github.com/sigstore/sigstore-js/commit/7845532f9d17f6f765363dbee82b01bd159fb52b","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-48815","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48815","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"sigstore","product":"sigstore-js","version":"affected < 4.1.1","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"sigstore-js","vendor":"sigstore","versions":[{"status":"affected","version":"< 4.1.1"}]}],"descriptions":[{"lang":"en","value":"sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify() is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications relying on certificateOIDs to restrict which certificates may sign artifacts can accept unauthorized certificates. This issue is fixed in version 4.1.1."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-347","description":"CWE-347: Improper Verification of Cryptographic Signature","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-14T20:27:16.925Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/sigstore/sigstore-js/security/advisories/GHSA-52v5-jr5w-gjxr","tags":["x_refsource_CONFIRM"],"url":"https://github.com/sigstore/sigstore-js/security/advisories/GHSA-52v5-jr5w-gjxr"},{"name":"https://github.com/sigstore/sigstore-js/pull/1658","tags":["x_refsource_MISC"],"url":"https://github.com/sigstore/sigstore-js/pull/1658"},{"name":"https://github.com/sigstore/sigstore-js/commit/7845532f9d17f6f765363dbee82b01bd159fb52b","tags":["x_refsource_MISC"],"url":"https://github.com/sigstore/sigstore-js/commit/7845532f9d17f6f765363dbee82b01bd159fb52b"},{"name":"https://github.com/sigstore/sigstore-js/releases/tag/sigstore%404.1.1","tags":["x_refsource_MISC"],"url":"https://github.com/sigstore/sigstore-js/releases/tag/sigstore%404.1.1"}],"source":{"advisory":"GHSA-52v5-jr5w-gjxr","discovery":"UNKNOWN"},"title":"sigstore-js: `certificateOIDs` verification constraints are silently dropped and never enforced"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-48815","datePublished":"2026-07-14T20:27:16.925Z","dateReserved":"2026-05-22T20:57:10.976Z","dateUpdated":"2026-07-14T20:27:16.925Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-14 21:17:01","lastModifiedDate":"2026-07-14 21:17:01","problem_types":["CWE-347","CWE-347 CWE-347: Improper Verification of Cryptographic Signature"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"48815","Ordinal":"1","Title":"sigstore-js: `certificateOIDs` verification constraints are sile","CVE":"CVE-2026-48815","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"48815","Ordinal":"1","NoteData":"sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify() is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications relying on certificateOIDs to restrict which certificates may sign artifacts can accept unauthorized certificates. This issue is fixed in version 4.1.1.","Type":"Description","Title":"sigstore-js: `certificateOIDs` verification constraints are sile"}]}}}