AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-7c37-gx6w-8vc5: gitsign --verify panics on empty-certificate PKCS7 and exits 0, bypassing exit-code callers

mediumvulnerability

security

Source: GitHub Advisory DatabaseMay 8, 2026CVE-2026-44310

Summary

gitsign's certificate verification code crashes with a panic when it receives a signature with no certificates (which is valid according to the CMS/PKCS7 standard), and the panic is silently caught and converted to exit code 0, making failed verification look successful to scripts and CI systems that only check the exit code.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

May 8, 2026

Classification

Attack SophisticationModerate

Affected Packages

github.com/sigstore/gitsign@>= 0.4.0, < 0.15.0 (fixed: 0.15.0)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-7c37-gx6w-8vc5

First tracked: May 8, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%