CVE-2026-22772 | THREATINT

Description

Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5.

PUBLISHED Reserved 2026-01-09 | Published 2026-01-12 | Updated 2026-01-12 | Assigner GitHub_M

MEDIUM: 5.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

< 1.8.5

affected

References

github.com/...fulcio/security/advisories/GHSA-59jp-pj84-45mr

github.com/...ommit/eaae2f2be56df9dea5f9b439ec81bedae4c0978d

cve.org (CVE-2026-22772)

nvd.nist.gov (CVE-2026-22772)

Download JSON