CVE-2026-24117

CVE-2026-24117

Name

CVE-2026-24117

Description

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with --enable_retrieve_api=false.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f
MISC	https://github.com/sigstore/rekor/releases/tag/v1.5.0
CONFIRM	https://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j

Type

URI

MISC

https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f

MISC

https://github.com/sigstore/rekor/releases/tag/v1.5.0

CONFIRM

https://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j

CPE URI	Source package	Min version	Max version
	rekor	>= 0	< 1.5.0
`cpe:2.3:a:linuxfoundation:rekor::::::::`	rekor	>= None	< 1.5.0

CPE URI

Source package

Min version

Max version

rekor

>= 0

< 1.5.0

cpe:2.3:a:linuxfoundation:rekor:*:*:*:*:*:*:*:*

rekor

>= None

< 1.5.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
rekor	edge-community	1.4.2-r2	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.4.2-r1	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.4.2-r0	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.4.0-r2	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.4.0-r1	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.4.0-r0	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.3.9-r4	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.3.9-r3	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.3.9-r2	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.3.9-r1	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.3.9-r0	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.3.6-r2	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.3.6-r1	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.3.6-r0	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	edge-community	1.1.1-r0	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	3.23-community	1.4.2-r3	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	3.23-community	1.4.2-r2	kpcyrd <git@rxv.cc>	possibly vulnerable
rekor	3.23-community	1.4.2-r1	kpcyrd <git@rxv.cc>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages