CVE-2026-48815: sigstore certificateOIDs Verification Constraint Silently Dropped
The sigstore npm package accepts a certificateOIDs option to restrict which signing certificates are trusted, but silently discards those constraints before verification, so any certificate that passe
The problem
In sigstore <= 4.1.0, the internal `createVerificationPolicy` function builds the policy object passed to the verifier. It copies the SAN and issuer fields into the policy, but never includes `certificateOIDs`.
The result is that callers who set required OID/value pairs on `sigstore.verify()` or `createVerifier()` receive no enforcement at all. A certificate missing the required extensions passes verification silently.
Proof of concept
A working proof-of-concept for CVE-2026-48815 in sigstore, with the exact payload below.
// Demonstrates that certificateOIDs is dropped from the constructed policy.
// Run with: node poc.js
const { createVerificationPolicy } = require('sigstore/dist/config');
const policy = createVerificationPolicy({
certificateIssuer: 'https://issuer.example',
certificateIdentityEmail: 'victim@example.com',
certificateOIDs: {
'1.2.3.4': 'required-value',
},
});
// Prints: false {"subjectAlternativeName":"victim@example.com","extensions":{"issuer":"https://issuer.example"}}
// certificateOIDs is absent from the policy; the verifier never sees it.
console.log('certificateOIDs' in policy, JSON.stringify(policy));The root cause is in `createVerificationPolicy` in `sigstore/src/config.ts`. The function constructs the policy by copying only `subjectAlternativeName` and `extensions.issuer` from the caller-supplied options. The `certificateOIDs` map is accepted by the public API type signature but never read or forwarded.
The patch in 4.1.1 adds the missing mapping: it iterates over `certificateOIDs` and merges each OID/value pair into the `extensions` object that is returned as part of the policy, so the underlying `@sigstore/verify` engine finally receives and enforces those constraints.
CWE-347 (Improper Verification of Cryptographic Signature) applies because the library silently omits a caller-specified constraint, causing the effective verification policy to be weaker than intended.
The fix
Upgrade the `sigstore` npm package to version 4.1.1 or later. No configuration change is needed; the fix is internal. If upgrading immediately is not possible, remove reliance on `certificateOIDs` as a security control and enforce OID constraints at a layer outside of sigstore until you can patch.
Related research
- high · 8.8CVE-2026-49987CVE-2026-49987: repomix Argument Injection via --remote-branch (RCE)
- high · 7.4CVE-2026-49857CVE-2026-49857: auth-fetch-mcp SSRF Protection Bypass via IPv4-mapped IPv6 Loopback
- highCVE-2026-49864CVE-2026-49864: wetty DOM XSS via File-Download Filename
- high · 8.8CVE-2026-49473CVE-2026-49473: @cedar-policy/authorization-for-expressjs Authorization Bypass via Query String