Cyber Posture

CVE-2026-31830

High

Published: 10 March 2026

Published
10 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0004 13.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31830 is a high-severity Unchecked Return Value (CWE-252) vulnerability in Sigstore Sigstore. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Compromise Software Supply Chain (T1195.002).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
attack.mitre.org →
Why these techniques?

Verification bypass in sigstore-ruby in-toto/DSSE checks directly enables substitution of mismatched (malicious) artifacts that pass integrity checks, facilitating compromise of software supply chain artifacts and pipelines.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifier#verify does not propagate the VerificationFailure returned by verify_in_toto when the artifact digest does not match the digest in the in-toto attestation…

more

subject. As a result, verification of DSSE bundles containing in-toto statements returns VerificationSuccess regardless of whether the artifact matches the attested subject. This vulnerability is fixed in 0.2.3.

Deeper analysisAI

CVE-2026-31830 affects sigstore-ruby, a pure Ruby implementation of the sigstore/cosign project's verify command, in versions prior to 0.2.3. The vulnerability lies in the Sigstore::Verifier#verify method, which fails to propagate the VerificationFailure exception returned by verify_in_toto when the artifact digest does not match the digest specified in the in-toto attestation subject. Consequently, verification of DSSE bundles containing in-toto statements always returns VerificationSuccess, even if the artifact does not match the attested subject. This issue is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWE-252 (Unchecked Return Value).

Attackers can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. By supplying a malicious DSSE bundle with an in-toto statement that references a mismatched artifact digest—such as for a tampered binary or package—the verifier will incorrectly deem it authentic. This enables integrity bypass, allowing adversaries to substitute malicious artifacts while evading sigstore's verification checks, potentially leading to deployment of untrusted software in supply chain pipelines.

The GitHub Security Advisory (GHSA-mhg6-2q2v-9h2c) confirms the issue is fixed in sigstore-ruby version 0.2.3, where the verifier now properly propagates the VerificationFailure. Security practitioners should upgrade to 0.2.3 or later and audit usages of Sigstore::Verifier#verify with in-toto attestations, especially in CI/CD workflows relying on sigstore for artifact verification.

Details

CWE(s)
CWE-252

Affected Products

sigstore
sigstore
≤ 0.2.3

CVEs Like This One

CVE-2025-25724Shared CWE-252
CVE-2026-0723Shared CWE-252
CVE-2026-21920Shared CWE-252
CVE-2026-35468Shared CWE-252
CVE-2026-28691Shared CWE-252
CVE-2026-34065Shared CWE-252
CVE-2026-22255Shared CWE-252
CVE-2026-22861Shared CWE-252
CVE-2026-22047Shared CWE-252
CVE-2026-22046Shared CWE-252

References