CVE-2026-24137 sigstore legacy TUF client allows for arbitrary file writes with target cache path traversal

🗓️ 23 Jan 2026 00:04:19Reported by GoogleType

osv🔗 osv.dev👁 3 Views

CVE-2026-24137: legacy TUF client path traversal enables cache file writes in v1.10.3 and earlier; fixed in v1.10.4.

Reporter	Title	Published	Views	Family All 190
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect Data Virtualization on IBM Software Hub (February 2026)	27 Feb 202603:34	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities for EDB Cloudpack for Data CP4D 5.3.1	1 Apr 202606:00	–	ibm
ATTACKERKB	CVE-2026-24137	23 Jan 202600:04	–	attackerkb
Tenable Nessus	Amazon Linux 2023 : runfinch-finch (ALAS2023-2026-1507)	1 Apr 202600:00	–	nessus
Tenable Nessus	Fedora 43 : gh (2026-21a2f3709a)	3 Mar 202600:00	–	nessus
Tenable Nessus	Fedora 44 : jfrog-cli (2026-6b87863841)	1 May 202600:00	–	nessus
Tenable Nessus	Fedora 42 : gh (2026-de52e7caa1)	7 Mar 202600:00	–	nessus
Tenable Nessus	openSUSE 16 Security Update : apptainer (openSUSE-SU-2026:20730-1)	16 May 202600:00	–	nessus
Tenable Nessus	openSUSE 15 Security Update : vexctl (SUSE-SU-2026:0592-1)	21 Feb 202600:00	–	nessus
Tenable Nessus	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : cosign (SUSE-SU-2026:0777-1)	6 Mar 202600:00	–	nessus

Source	Link
github	www.github.com/sigstore/sigstore/releases/tag/v1.10.4
github	www.github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24137.json
github	www.github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-24137
github	www.github.com/sigstore/sigstore/commit/8ec410a2993ea78083aecf0e473a85453039496e

16 May 2026 08:29Current

5.7Medium risk

Vulners AI Score5.7

CVSS 3.15.8

EPSS0.00016