Server-Side Request Forgery (SSRF) via provided public key URL Affected Package Package: github.com/sigstore/rekor (Go) Affected Versions: <= 1.4.3 Patched Versions: 1.5.0 Severity CVSS v3 Base Score: 5.3/10 Severity: Moderate Summary The endpoint supports retrieving a public key via a user-provided URL, allowing attackers to trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. Impact SSRF to cloud metadata (169.254.169.254) SSRF to internal Kubernetes APIs SSRF to any service accessible from Fulcio's network Patches Upgrade to v1.5.0. Note that this is a breaking change to the search API and fully disables lookups by URL. If you require this feature, please reach out and we can discuss alternatives. Workarounds Disable the search endpoint with . Additional Information CVE ID: CVE-2026-24117 Weaknesses: CWE-918 Reporter: 1seal