Home > Vulnerability Database > CVE-2026-22772

Mend.io Vulnerability Database

CVE-2026-22772

Good to know:

Date: January 12, 2026

Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5.

Severity Score

5.8

Related Resources (5)

Url: https://github.com/sigstore/fulcio

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-22772

Url: https://github.com/sigstore/fulcio/security/advisories/GHSA-59jp-pj84-45mr

Url: https://github.com/sigstore/fulcio/commit/eaae2f2be56df9dea5f9b439ec81bedae4c0978d

Url: https://www.mend.io/vulnerability-database/CVE-2026-22772

Severity Score

5.8

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version github.com/sigstore/fulcio - v1.8.5;github.com/sigstore/fulcio - v1.8.5;https://github.com/sigstore/fulcio.git - v1.8.5

Learn More

CVSS v3.1

Base Score:	5.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-22772

Good to know:

Date: January 12, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?