CVE-2026-39395: Cosign's verify-blob-attestation reports false positive when payload parsing fails

April 8, 2026

cosign verify-blob-attestation may erroneously report a “Verified OK” result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. For new-format bundles, the predicate type validation was bypassed completely.

References

github.com/advisories/GHSA-w6c6-c85g-mmv6
github.com/sigstore/cosign
github.com/sigstore/cosign/security/advisories/GHSA-w6c6-c85g-mmv6
nvd.nist.gov/vuln/detail/CVE-2026-39395

Code Behaviors & Features

Detect and mitigate CVE-2026-39395 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →