CVE-2026-39395
mediumCVSS v3 Base Score
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score
0.0%
Exploitation probability in 30 days
Top 87% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Confidentiality
None
Integrity
High
Availability
None
Vulnerability Report
Generated by CyberWatcher
Description
A flaw was found in Cosign, a tool for code signing and transparency for containers and binaries. A remote attacker could exploit this vulnerability by providing malformed payloads or attestations with mismatched predicate types. This could lead to Cosign erroneously reporting a "Verified OK" result, even when the attestations are invalid. This issue compromises the integrity of the verification process, potentially allowing unverified software to be trusted.
CWE
CWE-347Affected Products
OpenShift PipelinesOpenShift ServerlessRed Hat Advanced Cluster Security 4Red Hat Trusted Artifact SignerSecurity Profiles OperatorZero Trust Workload Identity ManagerZero Trust Workload Identity Manager - Tech Preview