CVE-2026-44309 – gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits

CVE ID :CVE-2026-44309

Published : May 15, 2026, 4:22 p.m. | 35 minutes ago

Description :Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git’s EncodeWithoutSignature before checking the signature, instead of verifying against the raw git object bytes. For malformed objects with duplicate tree headers, git-core and go-git parse different trees: git-core uses the first, go-git uses the second. A signature crafted over the go-git-normalized form (second tree) passes gitsign verify while git-core resolves the commit to a completely different tree. This breaks the invariant that a verified signature, the commit semantics git-core presents to users, and the object hash logged in Rekor all refer to the same content. This vulnerability is fixed in 0.16.0.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-44774 – Traefik: Gateway API TraefikService backend accepts rest@internal, allowing unauthorized exposure of the REST provider despite providers.rest.insecure=false

CVE-2026-41181 – Traefik: Errors middleware forwards Authorization and Cookie headers to separate error page service

CVE-2026-44310 – gitsign –verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers

CVE-2026-46508 – Turborepo: VSCode Extension command injection