CVE-2026-39984 Overview
A certificate validation bypass vulnerability has been identified in Sigstore Timestamp Authority, a service for issuing RFC 3161 timestamps. The vulnerability exists in the VerifyTimestampResponse function within versions 2.0.5 and below, where improper certificate validation allows an attacker to bypass authorization checks by exploiting a mismatch between signature verification and authorization validation targets.
Critical Impact
An attacker can bypass authorization controls by prepending a forged certificate to the PKCS#7 certificate bag, causing the library to validate signatures against one certificate while performing authorization checks against another.
Affected Products
- Sigstore Timestamp Authority versions 2.0.5 and below
- timestamp-authority/v2/pkg/verification package
- Applications using the affected verification package
Discovery Timeline
- 2026-04-15 - CVE CVE-2026-39984 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-39984
Vulnerability Analysis
This vulnerability is classified as CWE-295 (Improper Certificate Validation). The core issue lies in how the VerifyTimestampResponse function handles certificate chain verification versus TSA-specific constraint checks.
While VerifyTimestampResponse correctly verifies the certificate chain signature, a critical flaw exists in the VerifyLeafCert function. Instead of using the leaf certificate from the verified certificate chain for TSA-specific constraint checks, the function incorrectly pulls the first non-CA certificate from the PKCS#7 certificate bag.
This architectural flaw creates a disconnect between the certificate used for cryptographic signature verification and the certificate used for authorization validation, enabling an authorization bypass attack.
Root Cause
The root cause is a certificate selection inconsistency in the verification workflow. The VerifyLeafCert function, responsible for TSA-specific constraint checks, uses the first non-CA certificate from the PKCS#7 certificate bag rather than the leaf certificate from the already-verified certificate chain. This design flaw allows an attacker to insert a forged certificate at the beginning of the certificate bag that passes authorization checks, while the actual signature verification occurs against a different, legitimately signed certificate.
Attack Vector
The attack requires local access with user interaction. An attacker exploits this vulnerability by:
- Obtaining or intercepting a legitimately signed timestamp response
- Creating a forged certificate that passes the TSA-specific authorization constraints
- Prepending this forged certificate to the PKCS#7 certificate bag
- Submitting the modified response to applications using the vulnerable verification package
The library validates the signature against the legitimate certificate in the chain but performs authorization checks against the attacker-controlled forged certificate prepended to the certificate bag. This vulnerability specifically affects users of the timestamp-authority/v2/pkg/verification package and does not affect the timestamp-authority service itself or sigstore-go.
Detection Methods for CVE-2026-39984
Indicators of Compromise
- Unexpected certificates appearing at the beginning of PKCS#7 certificate bags in timestamp responses
- Timestamp responses with certificate bags containing certificates not issued by trusted TSA certificate authorities
- Anomalous authorization check results compared to expected certificate chain behavior
Detection Strategies
- Implement monitoring for applications using the timestamp-authority/v2/pkg/verification package versions 2.0.5 and below
- Audit timestamp responses for certificate bag manipulation by comparing certificate order and origin
- Review application logs for authorization checks that succeed against unexpected certificate identities
Monitoring Recommendations
- Monitor dependency manifests and lock files for vulnerable versions of the timestamp-authority package
- Implement software composition analysis (SCA) scanning to detect vulnerable components
- Configure alerts for any changes to certificate handling or validation logic in affected applications
How to Mitigate CVE-2026-39984
Immediate Actions Required
- Upgrade Sigstore Timestamp Authority to version 2.0.6 or later immediately
- Audit any applications using the timestamp-authority/v2/pkg/verification package to confirm vulnerability status
- Review timestamp responses processed during the exposure window for potential exploitation
Patch Information
The vulnerability has been fixed in Sigstore Timestamp Authority version 2.0.6. The fix ensures that TSA-specific constraint checks in VerifyLeafCert correctly use the leaf certificate from the verified certificate chain rather than selecting certificates from the PKCS#7 certificate bag.
For detailed patch information, see the GitHub Release v2.0.6. Additional security details are available in the GitHub Security Advisory GHSA-xm5m-wgh2-rrg3.
Workarounds
- If immediate upgrade is not possible, implement additional certificate chain validation at the application layer before relying on timestamp verification results
- Consider temporarily disabling timestamp verification functionality until the patch can be applied
- Implement strict certificate pinning for trusted TSA certificates as an additional defense layer
# Update timestamp-authority to patched version
go get github.com/sigstore/timestamp-authority/v2@v2.0.6
go mod tidy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
