CVE-2026-22772 – CVE-2026-22772 is a server-side request forgery... (How to Fix)

Q: What is the severity of CVE-2026-22772?

CVE-2026-22772 has a CVSS score of 5.8 (MEDIUM). CVE-2026-22772 is a server-side request forgery (SSRF) vulnerability in Fulcio's MetaIssuer URL validation. Attackers can bypass validation using unanchored regex to trigger blind SSRF requests to internal services, allowing network probing. This affects Fulcio deployments prior to version 1.8.5.

📋 TL;DR

CVE-2026-22772 is a server-side request forgery (SSRF) vulnerability in Fulcio's MetaIssuer URL validation. Attackers can bypass validation using unanchored regex to trigger blind SSRF requests to internal services, allowing network probing. This affects Fulcio deployments prior to version 1.8.5.

💻 Affected Systems

Products:

Fulcio

Versions: All versions prior to 1.8.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Fulcio deployments using MetaIssuer URL validation functionality.

📦 What is this software?

Fulcio by Linuxfoundation

View all CVEs affecting Fulcio →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map internal network topology, discover internal services, and potentially chain with other vulnerabilities for further exploitation.

🟠

Likely Case

Internal network reconnaissance through blind SSRF, allowing attackers to identify potential targets for further attacks.

🟢

If Mitigated

Limited to network discovery without data exfiltration or state mutation due to GET-only requests and no response return.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting malicious MetaIssuer URLs to bypass regex validation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.5

Vendor Advisory: https://github.com/sigstore/fulcio/security/advisories/GHSA-59jp-pj84-45mr

Restart Required: Yes

Instructions:

1. Update Fulcio to version 1.8.5 or later. 2. Restart the Fulcio service. 3. Verify the fix by checking the version and testing MetaIssuer URL validation.

🔧 Temporary Workarounds

Network segmentation

linux

Restrict Fulcio's outbound network access to prevent SSRF to internal services.

iptables -A OUTPUT -p tcp -m owner --uid-owner fulcio -j DROP
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=0.0.0.0/0 port port=80 protocol=tcp drop'

🧯 If You Can't Patch

Implement strict network egress filtering to limit Fulcio's outbound connections
Deploy web application firewall (WAF) rules to block SSRF patterns in MetaIssuer URLs

🔍 How to Verify

Check if Vulnerable:

Check Fulcio version: if version < 1.8.5, system is vulnerable.

Check Version:

fulcio --version

Verify Fix Applied:

Confirm Fulcio version is 1.8.5 or later and test MetaIssuer URL validation with crafted inputs.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP GET requests from Fulcio process
Failed MetaIssuer validation attempts

Network Indicators:

Unexpected HTTP traffic from Fulcio to internal IP ranges

SIEM Query:

source="fulcio" AND (http_method="GET" AND dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16))

📊 Metadata

CVE ID: CVE-2026-22772

CVSS v3 Score: 5.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CWE: CWE-918

Published: January 12, 2026

Last Updated: March 5, 2026

🔗 References

https://github.com/sigstore/fulcio/commit/eaae2f2be56df9dea5f9b439ec81bedae4c0978d Patch
https://github.com/sigstore/fulcio/security/advisories/GHSA-59jp-pj84-45mr Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22772, you might also want to check these: