Can you explain this vulnerability to me?

CVE-2026-22772 is a Server-Side Request Forgery (SSRF) vulnerability in Fulcio's metaRegex() function, which validates MetaIssuer URLs for OpenID Connect identity. The function used an unanchored regular expression that allowed attackers to bypass URL validation by matching malicious URLs containing valid issuer patterns as substrings. This flaw lets attackers cause Fulcio to make unintended HTTP GET requests to internal or attacker-controlled services, potentially probing internal networks. The vulnerability is fixed by adding start (^) and end ($) anchors to the regex, ensuring exact matches of issuer URLs. [1, 2]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows an attacker to trigger blind SSRF attacks by causing Fulcio to send HTTP GET requests to arbitrary internal services or attacker-controlled domains. Although these requests cannot mutate state and their responses are not returned to the attacker (preventing direct data exfiltration), the attacker can probe internal network services accessible from Fulcio's environment. This could reveal information about internal infrastructure or services, potentially aiding further attacks. [2]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unexpected HTTP GET requests initiated by Fulcio to internal or unusual URLs that match patterns similar to MetaIssuer URLs but are crafted maliciously. Since the SSRF triggers GET requests to attacker-controlled or internal services, network traffic analysis tools can be used to identify such requests. Specific commands are not provided in the resources, but general approaches include using network packet capture tools like tcpdump or Wireshark to filter HTTP GET requests from the Fulcio server to suspicious internal IPs or domains. For example, a tcpdump command to capture HTTP GET requests might be: tcpdump -i <interface> 'tcp port 80 and (((ip src <fulcio_ip>) and (tcp[32:4] = 0x47455420)))' where 0x47455420 is the ASCII for 'GET '. Additionally, reviewing Fulcio logs for calls to oidc.NewProvider() with unexpected issuer URLs may help detect exploitation attempts. [2]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate and only effective mitigation is to upgrade Fulcio to version 1.8.5 or later, where the metaRegex() function has been fixed to include proper start (^) and end ($) anchors in the regular expression, preventing the SSRF vulnerability. No effective workarounds exist because manual attempts to add anchors are escaped and ineffective. Therefore, upgrading the Fulcio deployment to version 1.8.5 or newer is required to remediate this issue. [2]

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows blind SSRF GET requests to internal services without state mutation or data exfiltration, limiting direct confidentiality impact. However, it could enable internal network probing, which may pose indirect risks to compliance with standards like GDPR or HIPAA that require protection of internal systems and data. Since no data exfiltration occurs and no state changes are possible, the direct impact on compliance is limited, but organizations should consider the risk of internal network exposure and potential indirect effects on compliance. [2]

Useful 0 Not Useful 0