{"id":"GHSA-w6c6-c85g-mmv6","summary":"Cosign's verify-blob-attestation reports false positive when payload parsing fails","details":"## Description\n\n`cosign verify-blob-attestation` may erroneously report a \"Verified OK\" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely.\n\n## Impact\n\nWhen `cosign verify-blob-attestation` is used without `--check-claims` set to `true`, an attestation that has a valid signature but a malformed or unparsable payload would be incorrectly validated. Additionally, systems relying on `--type \u003cpredicate type\u003e` to reject attestations with mismatched types would be lead to trust the unexpected attestation type.\n\n## Patches\n\nv3.0.6, v2.6.3\n\n## Workarounds\n\nAlways set `--check-claims=true` for attestation verification.","aliases":["BIT-cosign-2026-39395","CVE-2026-39395"],"modified":"2026-04-09T10:10:56.508139279Z","published":"2026-04-08T00:15:44Z","database_specific":{"cwe_ids":["CWE-754"],"github_reviewed":true,"github_reviewed_at":"2026-04-08T00:15:44Z","severity":"MODERATE","nvd_published_at":"2026-04-07T20:16:33Z"},"references":[{"type":"WEB","url":"https://github.com/sigstore/cosign/security/advisories/GHSA-w6c6-c85g-mmv6"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39395"},{"type":"PACKAGE","url":"https://github.com/sigstore/cosign"}],"affected":[{"package":{"name":"github.com/sigstore/cosign","ecosystem":"Go","purl":"pkg:golang/github.com/sigstore/cosign"},"ranges":[{"type":"SEMVER","events":[{"introduced":"3.0.0"},{"fixed":"3.0.6"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w6c6-c85g-mmv6/GHSA-w6c6-c85g-mmv6.json"}},{"package":{"name":"github.com/sigstore/cosign","ecosystem":"Go","purl":"pkg:golang/github.com/sigstore/cosign"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.6.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w6c6-c85g-mmv6/GHSA-w6c6-c85g-mmv6.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"}]}