A flaw was found in Sigstore Timestamp Authority. An unauthenticated remote attacker can exploit this vulnerability by sending requests with arbitrary HTTP paths and methods. This leads to the creation of an excessive number of unique metric labels, causing unbounded memory growth and a denial of service (DoS) condition on the server. This issue is a type of Improper Restriction of Resource Consumption (CWE-770).

Project Subscriptions

No data.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9c54-x2g4-v92j Sigstore Timestamp Authority has OOM due to unbounded metric label cardinality
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 15 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Sigstore Timestamp Authority. An unauthenticated remote attacker can exploit this vulnerability by sending requests with arbitrary HTTP paths and methods. This leads to the creation of an excessive number of unique metric labels, causing unbounded memory growth and a denial of service (DoS) condition on the server. This issue is a type of Improper Restriction of Resource Consumption (CWE-770).
Title timestamp-authority: Sigstore Timestamp Authority: Denial of Service via unbounded metric label cardinality
Weaknesses CWE-770
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Projects

Sign in to view the affected projects.

cve-icon MITRE

No data.

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-30T18:40:39Z

Links: CVE-2026-49835 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses