CVE-2026-22772: Fulcio is vulnerable to Server-Side Request Forgery (SSRF) via MetaIssuer Regex Bypass

January 13, 2026

Fulcio’s metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services.

Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF.

References

github.com/advisories/GHSA-59jp-pj84-45mr
github.com/sigstore/fulcio
github.com/sigstore/fulcio/commit/eaae2f2be56df9dea5f9b439ec81bedae4c0978d
github.com/sigstore/fulcio/security/advisories/GHSA-59jp-pj84-45mr
nvd.nist.gov/vuln/detail/CVE-2026-22772

Code Behaviors & Features

Detect and mitigate CVE-2026-22772 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →