CVE-2026-24117

EUVD-2026-3808
Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with --enable_retrieve_api=false.
SSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
Affected Products (NVD)
VendorProductVersion
linuxfoundationrekor
𝑥
< 1.5.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rekor
forky
1.5.2-1
fixed
sid
1.5.2-1
fixed
trixie
no-dsa
Azure Linux logo
Azure Linux Releases
Azure Package
Release
gh
Azure Linux 3.0
0:2.62.0-13.azl3
fixed
skopeo
Azure Linux 3.0
0:1.14.4-9.azl3
fixed
CBL-Mariner 2.0
0:1.14.2-15.cm2
fixed