2 matches found
CVE-2026-49835
CVE-2026-49835 affects Sigstore Timestamp Authority. The issue arises from the legacy wrapMetrics middleware, which records raw HTTP path and method as Prometheus labels for latency and request count, enabling an unauthenticated attacker to issue requests with arbitrary paths/methods and create u...
CVE-2026-49835 Sigstore Timestamp Authority: OOM due to unbounded metric label cardinality
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.1.0, the global wrapMetrics middleware records raw HTTP request path r.URL.Path and raw HTTP request method r.Method as Prometheus labels for latency and request count metric vectors before routing, allowing an...