Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. github.com/sigstore/timestamp-authority/v2
  4. ›
  5. CVE-2026-49835

CVE-2026-49835: Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality

June 30, 2026

An unauthenticated remote attacker can trigger unbounded memory growth on the timestamp authority server.

This vulnerability exists because the global wrapMetrics middleware records the raw HTTP request path (r.URL.Path) and raw HTTP request method (r.Method) as Prometheus labels for latency and request count metric vectors. Since this middleware runs before standard routing occurs, it executes for all incoming requests, including those for unmatched paths (yielding 404 responses) or arbitrary request methods. The Prometheus library registers a new, permanent time-series entry for every distinct label combination. An attacker can continuously issue requests containing random paths (e.g., /api/v1/timestamp/<uuid>) or random HTTP methods to exhaust system memory.

References

  • github.com/advisories/GHSA-9c54-x2g4-v92j
  • github.com/sigstore/timestamp-authority/security/advisories/GHSA-9c54-x2g4-v92j
  • nvd.nist.gov/vuln/detail/CVE-2026-49835

Code Behaviors & Features

Detect and mitigate CVE-2026-49835 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 2.1.0

Fixed versions

  • 2.1.0

Solution

Upgrade to version 2.1.0 or above.

Impact 5.9 MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Learn more about CVSS

Weakness

  • CWE-770: Allocation of Resources Without Limits or Throttling

Source file

go/github.com/sigstore/timestamp-authority/v2/CVE-2026-49835.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 01 Jul 2026 12:46:15 +0000.