CVE-2026-22772

CVE-2026-22772: Unanchored Trust in Sigstore Fulcio

Alon Barad
Alon Barad
Software Engineer

Jan 13, 2026·6 min read·2 visits

Executive Summary (TL;DR)

Fulcio uses regular expressions to validate trusted OIDC providers via 'MetaIssuers'. The generated regexes were missing start and end anchors ('^' and '$'). This allows an attacker to embed a trusted domain string anywhere in a malicious URL (e.g., as a query parameter) to bypass validation and force Fulcio to connect to arbitrary internal or external hosts.

A classic regex implementation failure in Sigstore Fulcio allows attackers to bypass OIDC issuer whitelists, leading to Blind Server-Side Request Forgery (SSRF).

Official Patches

SigstoreGitHub Commit fixing the regex anchors

Fix Analysis (1)

Technical Appendix

CVSS Score
5.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
EPSS Probability
0.02%
Top 97% most exploited

Affected Systems

Sigstore Fulcio < 1.8.5

Affected Versions Detail

Product
Affected Versions
Fixed Version
Sigstore Fulcio
Sigstore
< 1.8.51.8.5
AttributeDetail
CVE IDCVE-2026-22772
CWE IDCWE-918
CVSS Score5.8 (Medium)
Attack VectorNetwork
ImpactBlind SSRF / Information Disclosure
Exploit StatusPoC Available (Theoretical)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1557Adversary-in-the-Middle
Credential Access
CWE-918
Server-Side Request Forgery (SSRF)

The application sends a request to a server that matches a regular expression, but the regular expression is not anchored, allowing the request to be sent to an arbitrary server if the trusted pattern appears anywhere in the URL.

Known Exploits & Detection

GitHub AdvisoryAdvisory describing the methodology of using query parameters to bypass the unanchored regex.

Vulnerability Timeline

Vulnerability Published
2026-01-12
Patch Merged (v1.8.5)
2026-01-12
NVD Analysis
2026-01-13

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.