CVE-2026-49834
ADVISORY - githubSummary
Impact
What kind of vulnerability is it? Who is impacted?
A verifier configured with WithTransparencyLog(N>1) or WithSignedCertificateTimestamps(N>1) expected defense-in-depth against the compromise of a single log instance. However, threshold counting counted verified witnesses per-entry or per-validation-path rather than per-log-authority.
As a result, a single compromised transparency log could forge multiple entries with different indices, and a single compromised CT log could verify multiple times (either across multiple certificate chains or via multiple embedded SCTs), fully satisfying the multi-log threshold requirements and defeating the multi-log policy.
Note that this does not affect Cosign, as Cosign sets a threshold of 1.
Patches
Has the problem been patched? What versions should users upgrade to?
Upgrade to v1.1.5.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
There is no workaround, beyond relying on trusted logs.
Common Weakness Enumeration (CWE)
Insufficient Verification of Data Authenticity
Sign in to Docker Scout
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in