CVE-2026-24117 - GitHub Advisory Database (original) (raw)

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2026-24117

Rekor affected by Server-Side Request Forgery (SSRF) via provided public key URL

Moderate severity GitHub Reviewed PublishedJan 22, 2026 in sigstore/rekor • Updated Jan 23, 2026

Package

gomod github.com/sigstore/rekor (Go)

Affected versions

<= 1.4.3

Summary

/api/v1/index/retrieve supports retrieving a public key via a user-provided URL, allowing attackers to trigger SSRF to arbitrary internal services.

Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF.

Impact

• SSRF to cloud metadata (169.254.169.254)
• SSRF to internal Kubernetes APIs
• SSRF to any service accessible from Fulcio's network

Patches

Upgrade to v1.5.0. Note that this is a breaking change to the search API and fully disables lookups by URL. If you require this feature, please reach out and we can discuss alternatives.

Workarounds

Disable the search endpoint with --enable_retrieve_api=false.

References

• GHSA-4c4x-jm2x-pf9j
• sigstore/rekor@60ef2bc
• https://github.com/sigstore/rekor/releases/tag/v1.5.0
• https://nvd.nist.gov/vuln/detail/CVE-2026-24117

Published to the GitHub Advisory Database

Jan 22, 2026

Last updated

Jan 23, 2026