GHSA-G27R-R6PH-VF5R: GHSA-G27R-R6PH-VF5R: Authentication Bypass via Policy Hash Truncation in seq…

1 / 2

GHSA-G27R-R6PH-VF5R: GHSA-G27R-R6PH-VF5R: Authentication Bypass via Policy Hash Truncation in sequoia-git

DEV Community·CVE Reports·28 days ago

#tL8n5pWS

#security #cve #cybersecurity #ghsa #policy #sequoia

Reading 0:00

15s threshold

GHSA-G27R-R6PH-VF5R: Authentication Bypass via Policy Hash Truncation in sequoia-git Vulnerability ID: GHSA-G27R-R6PH-VF5R CVSS Score: 1.8 Published: 2026-05-04 A logic error in the caching mechanism of the sequoia-git library prior to version 0.6.0 results in the improper processing of OpenPGP hard revocations. A truncation bug during policy hash calculation creates cache collisions, allowing an attacker with a revoked key to bypass commit authentication if they can trick a maintainer into accepting a specific policy modification. TL;DR sequoia-git versions prior to 0.6.0 fail to properly enforce OpenPGP key revocations due to a cache collision bug triggered by a zero-byte policy hash. This allows attackers with compromised but revoked keys to sign valid commits if a maintainer merges a malicious policy update.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

GHSA-G27R-R6PH-VF5R: GHSA-G27R-R6PH-VF5R: Authentication Bypass via Policy Hash Truncation in sequoia-git