CVE-2026-48758

MEDIUMPre-NVD 5.45.4
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 5.4 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
5.4
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 5.4Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

@sigstore/core has DSSE payloadType type-binding failure

Impact

The preAuthEncoding function in @sigstore/core uses Node.js 'ascii' encoding when converting the PAE (Pre-Authentication Encoding) string to bytes. This allows payloadType to be mutated after signing without invalidating the signature, breaking the type-binding guarantee that DSSE is designed to provide.

In packages/core/src/dsse.ts, the PAE function builds a string containing payloadType and then encodes it with Buffer.from(prefix, 'ascii').

In Node.js, 'ascii' encoding for string-to-Buffer is equivalent to 'latin1', which truncates characters above U+00FF to their low byte. This means for any ASCII character, there exist Unicode characters (at U+01xx, U+02xx, etc.) that produce the identical encoded byte:

| Original | Codepoint | Mutant | Codepoint | Encoded byte | |----------|-----------|--------|-----------|--------------| | t | U+0074 | Ŵ | U+0174 | 0x74 | | e | U+0065 | ť | U+0165 | 0x65 |

An attacker can substitute every character in payloadType with a Unicode variant whose low byte matches, producing identical PAE bytes and a passing signature verification.

Additionally, payloadType.length returns the JavaScript string length (UTF-16 code units) rather than the UTF-8 byte length required by the DSSE spec, though this is only a contributing factor for non-ASCII types.

Reproduction

const { preAuthEncoding } = require('@sigstore/core/dist/dsse.js');
const payload = Buffer.from('hello world');

const original = preAuthEncoding('text/plain', payload); // U+01xx chars whose low bytes match the original ASCII chars const mutant = preAuthEncoding('\u0174\u0165\u0178\u0174/\u0170\u016c\u0161\u0169\u016e', payload);

console.log('PAE bytes equal:', original.equals(mutant)); // true — should be false

CVSS v3
5.4
EG Score
5.4(low)
EPSS
KEV
Not listed

Published

June 26, 2026

Last Modified

June 26, 2026

Vendor Advisories for CVE-2026-48758(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 7× in last 7d / 11× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 03:56 UTCEG score recompute
  2. 2026-07-06 02:59 UTCEG score recompute
  3. 2026-07-05 02:10 UTCEG score recompute
  4. 2026-07-04 01:22 UTCEG score recompute
  5. 2026-07-03 00:33 UTCEG score recompute
  6. 2026-07-01 23:43 UTCEG score recompute
  7. 2026-06-30 22:54 UTCEG score recompute
  8. 2026-06-29 22:05 UTCEG score recompute
  9. 2026-06-28 21:15 UTCEG score recompute
  10. 2026-06-27 20:26 UTCEG score recompute
  11. 2026-06-26 19:37 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-48758?
CVE-2026-48758 is a medium vulnerability published on June 26, 2026. @sigstore/core has DSSE payloadType type-binding failure Impact The preAuthEncoding function in @sigstore/core uses Node.js 'ascii' encoding when converting the PAE (Pre-Authentication Encoding) string to bytes. This allows payloadType to be mutated after signing without invalidating the signature,…
When was CVE-2026-48758 disclosed?
CVE-2026-48758 was first published in the National Vulnerability Database on June 26, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-48758?
CVE-2026-48758 has a CVSS v4.0 base score of 5.4 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-48758?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-48758, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-48758

Explore →

Is Your Infrastructure Affected by CVE-2026-48758?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.