CVE-2026-39984: Authorization Bypass in Sigstore Timestamp Authority Certificate Verification

A medium-severity authorization bypass vulnerability has been identified in Sigstore Timestamp Authority, affecting versions 2.0.5 and below. The flaw resides in the VerifyTimestampResponse function within the timestamp-authority/v2/pkg/verification package. The function correctly validates the certificate chain signature, but performs TSA-specific constraint checks against the wrong certificate: instead of using the leaf certificate from the verified chain, it references the first non-CA certificate found in the PKCS#7 certificate bag.

The security implications are significant. An attacker can exploit this discrepancy by prepending a forged certificate to the certificate bag while ensuring the actual message remains signed with an authorized key. This creates a split verification scenario where the library validates the signature against one certificate but executes authorization checks against another. The vulnerability enables an adversary to leverage a legitimately signed timestamp while bypassing the intended certificate authorization constraints.

The issue impacts users of the timestamp-authority/v2/pkg/verification package directly. Notably, the timestamp-authority service itself and sigstore-Go are unaffected by this flaw. The vulnerability has been patched in version 2.0.6, and organizations using the affected package should upgrade immediately. The vulnerable code existed across the release-1.16, release-1.17, and main branches before the fix was applied.