Sigstore Timestamp Authority, Prometheus Label Cardinality DoS, CVE-2026-49835 (Medium) -DC-Jun2026-758

Listen to this Post

How CVE-2026-49835 Works

CVE-2026-49835 is a medium-severity vulnerability affecting the Sigstore Timestamp Authority server. An unauthenticated remote attacker can trigger unbounded memory growth on the timestamp authority server, leading to a denial-of-service condition.
The root cause lies in the global `wrapMetrics` middleware, which records the raw HTTP request path (r.URL.Path) and raw HTTP request method (r.Method) as Prometheus labels for latency and request count metric vectors. This middleware executes before standard routing occurs, meaning it processes all incoming requests indiscriminately—including those for unmatched paths that yield 404 responses, as well as requests with arbitrary HTTP methods.
The Prometheus client library registers a new, permanent time-series entry for every distinct label combination it encounters. Because the labels are derived directly from untrusted user input (the request path and method), an attacker can continuously issue requests containing random, unique paths—such as `/api/v1/timestamp/` with varying UUIDs—or random HTTP methods. Each unique combination creates a new permanent time-series entry in memory.
Over time, as the attacker floods the server with millions of unique requests, the number of time-series entries grows without bound. This unbounded cardinality exhausts system memory, eventually causing the server to become unresponsive or crash. The vulnerability is particularly dangerous because it requires no authentication and can be exploited remotely with minimal effort.

DailyCVE Form:

Platform: ……. Sigstore Timestamp Authority
Version: …….. v2.0.6 and below
Vulnerability :…… Prometheus Label Cardinality DoS
Severity: ……. Medium (CVSS 5.9)
date: ………. June 30, 2026

Prediction: …… July 2026

What Undercode Say:

Simulate an attack by sending requests with random UUID paths
for i in {1..100000}; do
curl -s -o /dev/null "https://timestamp-server.example.com/api/v1/timestamp/$(uuidgen)"
done
Simulate an attack using random HTTP methods
for method in $(shuf -e GET POST PUT DELETE PATCH OPTIONS HEAD TRACE CONNECT -r -n 100000); do
curl -s -o /dev/null -X "$method" "https://timestamp-server.example.com/api/v1/timestamp"
done
Check Prometheus memory usage and time-series count
curl -s http://localhost:9090/api/v1/status/runtimeinfo | jq '.data.memoryInUse'
curl -s http://localhost:9090/api/v1/status/tsdb | jq '.data.seriesCountByMetricName'

Prometheus Anti-Pattern: Recording `r.URL.Path` and `r.Method` directly as labels violates the fundamental Prometheus best practice of keeping label cardinality bounded and finite. Labels that vary per-request or per-user inevitably lead to cardinality explosion.

How Exploit:

  1. Reconnaissance: Identify a publicly accessible Sigstore Timestamp Authority server running version ≤ v2.0.6.
  2. Craft Malicious Requests: Generate HTTP requests with either:

– Random, unique paths (e.g., /api/v1/timestamp/550e8400-e29b-41d4-a716-446655440000)
– Arbitrary, non-standard HTTP methods (e.g., RANDOM, FOO, BAR)
3. Launch Denial-of-Service: Flood the server with thousands or millions of unique requests per second. Each request creates a new permanent Prometheus time-series entry.
4. Exhaust Memory: As the time-series cardinality grows unbounded, the server’s memory consumption increases until the system runs out of available memory, causing the service to crash or become unresponsive.

Protection from this CVE:

Immediate Actions:

  • Upgrade to version v2.0.7 or later, which patches the issue by limiting metric label values to a strict allowlist:
  • Expected paths: /ping, /api/v1/timestamp, `/api/v1/timestamp/certchain`
    – Expected HTTP methods: GET, POST, HEAD, `OPTIONS`
    – Unrecognized paths/methods are normalized to the static string `”unrecognized”`

Workarounds (if unable to upgrade immediately):

  • Reverse Proxy Filtering: Block or drop incoming requests with invalid HTTP methods or unknown request paths at a reverse proxy or load balancer before they reach the timestamp authority server
  • Rate Limiting: Configure rate-limiting on the public interface to prevent attackers from issuing millions of unique requests in a short duration
    Example nginx configuration to block unknown paths and methods
    location ~ ^/(ping|api/v1/timestamp|api/v1/timestamp/certchain)$ {
    Allow only expected methods
    if ($request_method !~ ^(GET|POST|HEAD|OPTIONS)$) {
    return 444;
    }
    proxy_pass http://timestamp-authority;
    }
    Block all other paths
    location / {
    return 444;
    }
    

Impact:

  • Confidentiality: None. This is a denial-of-service vulnerability; no data is exposed or leaked.
  • Integrity: None. The attacker cannot modify or corrupt data.
  • Availability: Critical impact. An unauthenticated remote attacker can exhaust system memory, causing the timestamp authority server to crash or become unresponsive. This disrupts timestamp issuance services, potentially affecting downstream systems that rely on RFC 3161 timestamps for supply chain security and code signing verification.
  • Attack Vector: Network-based, remote, unauthenticated.
  • Exploit Complexity: Low. The attack requires only the ability to send HTTP requests to the target server.
  • Affected Versions: All versions ≤ v1.2.9 and v2 ≤ v2.0.6.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top