{"api_version":"1","generated_at":"2026-07-17T22:48:05+00:00","cve":"CVE-2026-49835","urls":{"html":"https://cve.report/CVE-2026-49835","api":"https://cve.report/api/cve/CVE-2026-49835.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-49835","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-49835"},"summary":{"title":"Sigstore Timestamp Authority: OOM due to unbounded metric label cardinality","description":"Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an unauthenticated remote attacker to issue requests with random paths such as /api/v1/timestamp/<uuid> or random HTTP methods and create unbounded permanent time-series entries that exhaust memory. This issue is fixed in version 2.1.0.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-07-17 19:17:16","updated_at":"2026-07-17 20:17:22"},"problem_types":["CWE-770","CWE-770 CWE-770: Allocation of Resources Without Limits or Throttling"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"5.9","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"5.9","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"url":"https://github.com/sigstore/timestamp-authority/releases/tag/v2.1.0","name":"https://github.com/sigstore/timestamp-authority/releases/tag/v2.1.0","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/sigstore/timestamp-authority/commit/506ec57b6ac2ea1e4739322e47453469425b69b5","name":"https://github.com/sigstore/timestamp-authority/commit/506ec57b6ac2ea1e4739322e47453469425b69b5","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-9c54-x2g4-v92j","name":"https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-9c54-x2g4-v92j","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-49835","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49835","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"sigstore","product":"timestamp-authority","version":"affected < 2.1.0","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-49835","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-17T19:45:33.792018Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-17T19:45:44.026Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"timestamp-authority","vendor":"sigstore","versions":[{"status":"affected","version":"< 2.1.0"}]}],"descriptions":[{"lang":"en","value":"Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an unauthenticated remote attacker to issue requests with random paths such as /api/v1/timestamp/<uuid> or random HTTP methods and create unbounded permanent time-series entries that exhaust memory. This issue is fixed in version 2.1.0."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":5.9,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-770","description":"CWE-770: Allocation of Resources Without Limits or Throttling","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-17T18:16:41.764Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-9c54-x2g4-v92j","tags":["x_refsource_CONFIRM"],"url":"https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-9c54-x2g4-v92j"},{"name":"https://github.com/sigstore/timestamp-authority/commit/506ec57b6ac2ea1e4739322e47453469425b69b5","tags":["x_refsource_MISC"],"url":"https://github.com/sigstore/timestamp-authority/commit/506ec57b6ac2ea1e4739322e47453469425b69b5"},{"name":"https://github.com/sigstore/timestamp-authority/releases/tag/v2.1.0","tags":["x_refsource_MISC"],"url":"https://github.com/sigstore/timestamp-authority/releases/tag/v2.1.0"}],"source":{"advisory":"GHSA-9c54-x2g4-v92j","discovery":"UNKNOWN"},"title":"Sigstore Timestamp Authority: OOM due to unbounded metric label cardinality"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-49835","datePublished":"2026-07-17T18:16:41.764Z","dateReserved":"2026-06-01T18:50:36.056Z","dateUpdated":"2026-07-17T19:45:44.026Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-17 19:17:16","lastModifiedDate":"2026-07-17 20:17:22","problem_types":["CWE-770","CWE-770 CWE-770: Allocation of Resources Without Limits or Throttling"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":5.9,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-17T19:45:33.792018Z","id":"CVE-2026-49835","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"49835","Ordinal":"1","Title":"Sigstore Timestamp Authority: OOM due to unbounded metric label ","CVE":"CVE-2026-49835","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"49835","Ordinal":"1","NoteData":"Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an unauthenticated remote attacker to issue requests with random paths such as /api/v1/timestamp/<uuid> or random HTTP methods and create unbounded permanent time-series entries that exhaust memory. This issue is fixed in version 2.1.0.","Type":"Description","Title":"Sigstore Timestamp Authority: OOM due to unbounded metric label "}]}}}