<Vulnerability name="CVE-2026-48815">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-01T19:58:28</PublicDate>
    <Bugzilla id="2499687" url="https://bugzilla.redhat.com/show_bug.cgi?id=2499687" xml:lang="en:us">
sigstore: Sigstore: Unauthorized certificates accepted due to ignored `certificateOIDs` verification option
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>5.9</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-345</CWE>
    <Details xml:lang="en:us" source="Mitre">
sigstore-js provides JavaScript libraries for interacting with Sigstore services. Prior to 4.1.1, the documented certificateOIDs option in sigstore.verify() is accepted by the public API but discarded before verification, so required certificate extension OIDs are never checked and applications relying on certificateOIDs to restrict which certificates may sign artifacts can accept unauthorized certificates. This issue is fixed in version 4.1.1.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in sigstore. The `certificateOIDs` option, intended to restrict which certificates can sign artifacts, is accepted by the public application programming interface (API) but is not used during the verification process. This allows unauthorized certificates to be accepted, bypassing security policies that rely on specific certificate extension object identifiers (OIDs). As a result, applications that depend on this option for security receive no protection, potentially leading to the acceptance of malicious or untrusted artifacts.
    </Details>
    <Statement xml:lang="en:us">
A flaw was found in the sigstore npm package. The certificateOIDs verification option is accepted by the API but silently discarded before verification, meaning required certificate extension OIDs are never enforced.
    </Statement>
    <Mitigation xml:lang="en:us">
Upgrade to sigstore 4.1.1 or later.
    </Mitigation>
    <PackageState impact="moderate" cpe="cpe:/a:redhat:exploit_intelligence:0">
        <ProductName>Exploit Intelligence</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>sigstore</PackageName>
    </PackageState>
    <PackageState impact="moderate" cpe="cpe:/a:redhat:connectivity_link:1">
        <ProductName>Red Hat Connectivity Link 1</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>sigstore</PackageName>
    </PackageState>
    <PackageState impact="moderate" cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>sigstore</PackageName>
    </PackageState>
    <PackageState impact="moderate" cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>sigstore</PackageName>
    </PackageState>
    <PackageState impact="moderate" cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>sigstore</PackageName>
    </PackageState>
    <PackageState impact="moderate" cpe="cpe:/a:redhat:enterprise_linux_ai:3">
        <ProductName>Red Hat Enterprise Linux AI (RHEL AI) 3</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>sigstore</PackageName>
    </PackageState>
    <PackageState impact="moderate" cpe="cpe:/a:redhat:openshift_devspaces:3">
        <ProductName>Red Hat OpenShift Dev Spaces</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>sigstore</PackageName>
    </PackageState>
    <PackageState impact="moderate" cpe="cpe:/a:redhat:satellite:6">
        <ProductName>Red Hat Satellite 6</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>sigstore</PackageName>
    </PackageState>
    <PackageState impact="moderate" cpe="cpe:/a:redhat:ansible_portal:2">
        <ProductName>Self-service automation portal 2</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>sigstore</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-48815
https://nvd.nist.gov/vuln/detail/CVE-2026-48815
https://github.com/sigstore/sigstore-js/security/advisories/GHSA-52v5-jr5w-gjxr
    </References>
</Vulnerability>