CVE-2026-31830
Published: 10 March 2026
Summary
CVE-2026-31830 is a high-severity Unchecked Return Value (CWE-252) vulnerability in Sigstore Sigstore. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-6 (Security and Privacy Function Verification).
Deeper analysis
CVE-2026-31830 affects sigstore-ruby, a pure Ruby implementation of the sigstore/cosign project's verify command, in versions prior to 0.2.3. The vulnerability lies in the Sigstore::Verifier#verify method, which fails to propagate the VerificationFailure exception returned by verify_in_toto when the artifact digest does not match the digest specified in the in-toto attestation subject. Consequently, verification of DSSE bundles containing in-toto statements always returns VerificationSuccess, even if the artifact does not match the attested subject. This issue is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps to CWE-252 (Unchecked Return Value).
Attackers can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. By supplying a malicious DSSE bundle with an in-toto statement that references a mismatched artifact digest—such as for a tampered binary or package—the verifier will incorrectly deem it authentic. This enables integrity bypass, allowing adversaries to substitute malicious artifacts while evading sigstore's verification checks, potentially leading to deployment of untrusted software in supply chain pipelines.
The GitHub Security Advisory (GHSA-mhg6-2q2v-9h2c) confirms the issue is fixed in sigstore-ruby version 0.2.3, where the verifier now properly propagates the VerificationFailure. Security practitioners should upgrade to 0.2.3 or later and audit usages of Sigstore::Verifier#verify with in-toto attestations, especially in CI/CD workflows relying on sigstore for artifact verification.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10932
Vulnerability details
sigstore-ruby is a pure Ruby implementation of the sigstore verify command from the sigstore/cosign project. Prior to 0.2.3, Sigstore::Verifier#verify does not propagate the VerificationFailure returned by verify_in_toto when the artifact digest does not match the digest in the in-toto attestation…
more
subject. As a result, verification of DSSE bundles containing in-toto statements returns VerificationSuccess regardless of whether the artifact matches the attested subject. This vulnerability is fixed in 0.2.3.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Verification bypass in sigstore-ruby in-toto/DSSE checks directly enables substitution of mismatched (malicious) artifacts that pass integrity checks, facilitating compromise of software supply chain artifacts and pipelines.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of flaws like the unchecked VerificationFailure in sigstore-ruby's verify method by upgrading to version 0.2.3 or later.
Mandates employment of integrity verification mechanisms that detect unauthorized changes, directly countering the false VerificationSuccess for mismatched artifact digests in DSSE bundles.
Requires verification that security functions, such as the sigstore verifier's handling of in-toto attestations, perform correctly to ensure failure propagation for integrity mismatches.