CVE-2026-24117: Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL

January 22, 2026 (updated January 23, 2026)

/api/v1/index/retrieve supports retrieving a public key via a user-provided URL, allowing attackers to trigger SSRF to arbitrary internal services.

Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF.

References

github.com/advisories/GHSA-4c4x-jm2x-pf9j
github.com/sigstore/rekor
github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f
github.com/sigstore/rekor/releases/tag/v1.5.0
github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j
nvd.nist.gov/vuln/detail/CVE-2026-24117

Code Behaviors & Features

Detect and mitigate CVE-2026-24117 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →