VYPR
Moderate severityOSV Advisory· Published Jan 12, 2026· Updated Jan 12, 2026

Fulcio vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass

CVE-2026-22772

Description

Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/sigstore/fulcioGo
< 1.8.51.8.5

Affected products

56

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.