CVE-2026-59891

sigstore · sigstore-js

A credential disclosure vulnerability in sigstore-js allows authentication keys to be transmitted to incorrect registries due to improper substring matching.

Executive summary

An insufficient credential protection flaw in sigstore-js allows for the accidental exposure of sensitive authentication keys to unauthorized registries.

Vulnerability

The getRegistryCredentials function performs a substring match instead of an exact host match when selecting credentials from the Docker configuration. This can result in credentials configured for one registry being transmitted to a different, unintended registry if the hostnames share a substring relationship.

Business impact

This vulnerability creates a risk of credential theft and unauthorized access to container registries. If credentials for a trusted registry are leaked to a malicious registry, an attacker could gain the ability to pull private images or push malicious ones, severely compromising the software supply chain. The high CVSS score reflects the significant potential for lateral movement and supply chain poisoning.

Remediation

Immediate Action: Update sigstore-js to version 0.7.1 or later to implement the correct host-matching logic for registry credentials.

Proactive Monitoring: Audit recent logs for authentication attempts against container registries to identify if any credentials were inadvertently sent to the wrong endpoints.

Compensating Controls: Rotate credentials for any container registries that may have been accessed while using an affected version of the library.

Exploitation status

Public Exploit Available: Unknown.

Analyst recommendation

This vulnerability represents a critical risk to the software supply chain. Organizations using sigstore-js should update the library immediately and verify the integrity of their registry credentials to ensure no unauthorized access has occurred.