CVE-2026-22772 MEDIUM

CVE-2026-22772: Fulcio vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass

Vendor Sigstore
Product fulcio
Weakness CWE-918 · SSRF
Published January 12, 2026
Last update January 12, 2026
View on NVD All CVEs

CVSS base score

5.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5.

Key dates

02Disclosure timeline

January 12, 2026 CVE published
January 12, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-26487 Server Side Request Forgery (SSRF) in the web server of Infinera MTC-9 CVE-2026-50131 Fedify has an incomplete SSRF mitigation after GHSA-p9cg-vqcc-grcx: validatePublicUrl allows special-use IPv4 ranges CVE-2025-65958 Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web CVE-2024-54197 Server-Side Request Forgery in SAP NetWeaver Administrator (System Overview) CVE-2026-41481 LangChain: HTMLHeaderTextSplitter.split_text_from_url SSRF Redirect Bypass