Sigstore TUF Client Vulnerability (CVE-2026-24137) Exposes Systems to Arbitrary File Writes

A critical path traversal vulnerability in Sigstore's legacy TUF client has been disclosed, enabling attackers to perform arbitrary file writes on affected systems. The flaw, tracked as CVE-2026-24137 (GHSA-fcv2-xgw5-pqxf), resides within the `github.com/sigstore/sigstore` package and stems from improper handling of target cache paths. This security gap allows malicious actors to write files outside the intended cache directory, potentially leading to system compromise, data corruption, or the execution of unauthorized code.

The vulnerability specifically impacts the indirect dependency version `v1.8.3` and is addressed in the updated release `v1.10.4`. The advisory, published via GitHub Security Advisories and the Go vulnerability database (GO-2026-4358), indicates the issue is present in the legacy TUF (The Update Framework) client component of Sigstore—a foundational project for software supply chain security and digital signature verification. The severity is currently listed as 'Unknown,' underscoring the need for immediate assessment and remediation by downstream projects and maintainers.

This discovery places direct pressure on the vast ecosystem of projects relying on Sigstore for secure software attestation. The flaw's nature—arbitrary file write via path traversal—represents a severe integrity and security risk, especially in automated CI/CD pipelines and deployment systems where Sigstore is integrated. While a patched version is available, the warning that 'some dependencies could not be looked up' in the associated pull request highlights the operational challenge of comprehensive dependency management and the persistent risk of latent, unpatched instances in complex software supply chains.