Vulnerability Description
Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Fulcio | < 1.8.5 |
Related Weaknesses (CWE)
References
- https://github.com/sigstore/fulcio/commit/eaae2f2be56df9dea5f9b439ec81bedae4c097Patch
- https://github.com/sigstore/fulcio/security/advisories/GHSA-59jp-pj84-45mrExploitVendor Advisory
FAQ
What is CVE-2026-22772?
CVE-2026-22772 is a vulnerability with a CVSS score of 5.8 (MEDIUM). Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers t...
How severe is CVE-2026-22772?
CVE-2026-22772 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-22772?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Fulcio.