CVE & CISA-KEV Catalog

CVE-2026-22772

MEDIUM
5.8
CVSS v3
NVD

Description

Fulcio is a certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.5, Fulcio's metaRegex() function uses unanchored regex, allowing attackers to bypass MetaIssuer URL validation and trigger SSRF to arbitrary internal services. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. This vulnerability is fixed in 1.8.5.

How to fix

Remediation Available
golang-github-sigstore-fulcioDebian
Fixed in:1.8.5-1CVE-2026-22772
registry.redhat.io/rhtas/certificateRed Hat / RHEL
Fixed in:transparency-rhel9@sha256:240a9553315990a06a9d52eaf6e96e3aa1c743f1fbff33b95b489d41cef18f5a_amd64RHSA-2026:2144
registry.redhat.io/rhtas/certificateRocky
Fixed in:transparency-rhel9@sha256:240a9553315990a06a9d52eaf6e96e3aa1c743f1fbff33b95b489d41cef18f5a_amd64RHSA-2026:2144
registry.redhat.io/rhtas/clientRed Hat / RHEL
Fixed in:server-rhel9@sha256:47071a0613d6d262110af4ce6703ce99db72c7ab58e3a6051b82f3098b372a49_amd64RHSA-2026:2924
registry.redhat.io/rhtas/clientRocky
Fixed in:server-rhel9@sha256:47071a0613d6d262110af4ce6703ce99db72c7ab58e3a6051b82f3098b372a49_amd64RHSA-2026:2924
registry.redhat.io/rhtas/cosignRed Hat / RHEL
Fixed in:rhel9@sha256:a8289d488491991d454a32784de19476f2c984917eb7a33b4544e55512f2747c_amd64RHSA-2026:2136
Fixed in:rhel9@sha256:8efb2c8f77e91d7a15063ddc6f7eca1226a494f0f9340590af6e3a2eb9c462c3_amd64RHSA-2026:2922
registry.redhat.io/rhtas/cosignRocky
Fixed in:rhel9@sha256:8efb2c8f77e91d7a15063ddc6f7eca1226a494f0f9340590af6e3a2eb9c462c3_amd64RHSA-2026:2922
Fixed in:rhel9@sha256:a8289d488491991d454a32784de19476f2c984917eb7a33b4544e55512f2747c_amd64RHSA-2026:2136
registry.redhat.io/rhtas/fetch-tsaRed Hat / RHEL
Fixed in:certs-rhel9@sha256:e001128c079f0355e88161c08f092d0d5b0d2f984fdb672002d4bcddf9585cd5_amd64RHSA-2026:2922
Fixed in:certs-rhel9@sha256:358e6addb56ff342bc8d850399b872f039bb9cbd7f108f0838e8e50d54b24857_amd64RHSA-2026:2136
registry.redhat.io/rhtas/fetch-tsaRocky
Fixed in:certs-rhel9@sha256:358e6addb56ff342bc8d850399b872f039bb9cbd7f108f0838e8e50d54b24857_amd64RHSA-2026:2136
Fixed in:certs-rhel9@sha256:e001128c079f0355e88161c08f092d0d5b0d2f984fdb672002d4bcddf9585cd5_amd64RHSA-2026:2922
registry.redhat.io/rhtas/fulcioRocky
Fixed in:rhel9@sha256:d876a5e41b8467cdde921032f2cd53e77bef99ebcd8b61d72a3ad411469ad352_amd64RHSA-2026:2144
registry.redhat.io/rhtas/fulcioRed Hat / RHEL
Fixed in:rhel9@sha256:d876a5e41b8467cdde921032f2cd53e77bef99ebcd8b61d72a3ad411469ad352_amd64RHSA-2026:2144
registry.redhat.io/rhtas/gitsignRed Hat / RHEL
Fixed in:rhel9@sha256:3c39718e61d13648afcb5b0f5741aa771caf9b2f8c52e4af9dfa0635d5b05894_amd64RHSA-2026:2136
Fixed in:rhel9@sha256:4c59990381ce313cd845257e95fd2e910b3d84459c5b3c3aa09fce954a328101_amd64RHSA-2026:2922
registry.redhat.io/rhtas/gitsignRocky
Fixed in:rhel9@sha256:4c59990381ce313cd845257e95fd2e910b3d84459c5b3c3aa09fce954a328101_amd64RHSA-2026:2922
Fixed in:rhel9@sha256:3c39718e61d13648afcb5b0f5741aa771caf9b2f8c52e4af9dfa0635d5b05894_amd64RHSA-2026:2136
registry.redhat.io/rhtas/rekorRed Hat / RHEL
Fixed in:cli-rhel9@sha256:63db8fe95e158a74d31bcfca03a4c8d505012870d594e8fd97cc0cb2af13fe65_amd64RHSA-2026:2136
Fixed in:server-rhel9@sha256:9746960bbc79e0ecf82a0ee12f878e90e202247dcaeb046bdd11db48a52ccb90_amd64RHSA-2026:2144
Fixed in:cli-rhel9@sha256:6dc1b8af2586c0b7dc2786ed075f3e387943bed78818e02c7bd38f0ac1cace0b_amd64RHSA-2026:2922
registry.redhat.io/rhtas/rekorRocky
Fixed in:server-rhel9@sha256:9746960bbc79e0ecf82a0ee12f878e90e202247dcaeb046bdd11db48a52ccb90_amd64RHSA-2026:2144
Fixed in:cli-rhel9@sha256:6dc1b8af2586c0b7dc2786ed075f3e387943bed78818e02c7bd38f0ac1cace0b_amd64RHSA-2026:2922
Fixed in:cli-rhel9@sha256:63db8fe95e158a74d31bcfca03a4c8d505012870d594e8fd97cc0cb2af13fe65_amd64RHSA-2026:2136
registry.redhat.io/rhtas/rekor-backfillRocky
Fixed in:redis-rhel9@sha256:ec50096d68a499e7f605bcfa7afd30845a03e0c4849736431f6752fa8b850897_amd64RHSA-2026:2144
registry.redhat.io/rhtas/rekor-backfillRed Hat / RHEL
Fixed in:redis-rhel9@sha256:ec50096d68a499e7f605bcfa7afd30845a03e0c4849736431f6752fa8b850897_amd64RHSA-2026:2144
registry.redhat.io/rhtas/rekor-searchRocky
Fixed in:ui-rhel9@sha256:3971738912069448174202486b61ed384153ca18af3e8430a55795a6e65eb58d_amd64RHSA-2026:2144
registry.redhat.io/rhtas/rekor-searchRed Hat / RHEL
Fixed in:ui-rhel9@sha256:3971738912069448174202486b61ed384153ca18af3e8430a55795a6e65eb58d_amd64RHSA-2026:2144
registry.redhat.io/rhtas/timestampRed Hat / RHEL
Fixed in:authority-rhel9@sha256:37b9359f11098a781158e5bc0850ec43b599d29a354b43745067656b0a234814_amd64RHSA-2026:2144
registry.redhat.io/rhtas/timestampRocky
Fixed in:authority-rhel9@sha256:37b9359f11098a781158e5bc0850ec43b599d29a354b43745067656b0a234814_amd64RHSA-2026:2144
registry.redhat.io/rhtas/trillianRed Hat / RHEL
Fixed in:logsigner-rhel9@sha256:83a8710df2032471c379f4cfbb3861ec9c4c7794f8b487483dbfb8cf57207750_amd64RHSA-2026:2144
Fixed in:redis-rhel9@sha256:7261ee18d6fd8d42614e94ae3bdb77c5acad54f2b9898365bf8668c60a32589a_amd64RHSA-2026:2144
Fixed in:logserver-rhel9@sha256:7c6cba78fb26addd9f056ec3f8b9376666db353451da37a4681a51d16f2ff76c_amd64RHSA-2026:2144
Fixed in:database-rhel9@sha256:f4e92bf3f35d86fe895a2e3225098b3d4d9dae720ef1d45e9efcf23dec8242b6_amd64RHSA-2026:2144
registry.redhat.io/rhtas/trillianRocky
Fixed in:redis-rhel9@sha256:7261ee18d6fd8d42614e94ae3bdb77c5acad54f2b9898365bf8668c60a32589a_amd64RHSA-2026:2144
Fixed in:logsigner-rhel9@sha256:83a8710df2032471c379f4cfbb3861ec9c4c7794f8b487483dbfb8cf57207750_amd64RHSA-2026:2144
Fixed in:logserver-rhel9@sha256:7c6cba78fb26addd9f056ec3f8b9376666db353451da37a4681a51d16f2ff76c_amd64RHSA-2026:2144
Fixed in:database-rhel9@sha256:f4e92bf3f35d86fe895a2e3225098b3d4d9dae720ef1d45e9efcf23dec8242b6_amd64RHSA-2026:2144
registry.redhat.io/rhtas/updatetreeRocky
Fixed in:rhel9@sha256:67ff8332c09e00cb370355d16f1d06c16ff482e7a8857cdff4f556fae298f951_amd64RHSA-2026:2136
Fixed in:rhel9@sha256:cfba6d424b5e45362bb4e61d9b05bb49a24beb56a3c5ddc3aebdd2e0647179de_amd64RHSA-2026:2922
registry.redhat.io/rhtas/updatetreeRed Hat / RHEL
Fixed in:rhel9@sha256:67ff8332c09e00cb370355d16f1d06c16ff482e7a8857cdff4f556fae298f951_amd64RHSA-2026:2136
Fixed in:rhel9@sha256:cfba6d424b5e45362bb4e61d9b05bb49a24beb56a3c5ddc3aebdd2e0647179de_amd64RHSA-2026:2922

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeChanged

Impact

ConfidentialityLow
IntegrityNone
AvailabilityNone

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Exploit Intelligence

0.22%probability of exploitation in 30 days
12thpercentile

Low risk: more likely to be exploited than 12% of all known CVEs.

References

Exploit1

Related Vulnerabilities

Other CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities, ordered by exploit likelihood. View all

CVESeverityCVSSEPSSExploitedFix
CVE-2024-21893High8.2100%KEV + Ransom-
CVE-2021-40438Critical9.0100%KEVFix
CVE-2021-34473Critical9.1100%KEV + RansomFix
CVE-2021-26855Critical9.1100%KEV + RansomFix
CVE-2021-21985Critical9.8100%KEV + RansomFix
CVE-2022-41040High8.8100%KEV + RansomFix
Embed a live status badge for CVE-2026-22772
CVE-2026-22772 severity badge

Markdown

[![CVE-2026-22772](https://tridentstack.com/cve/badge/CVE-2026-22772.svg)](https://tridentstack.com/cve/CVE-2026-22772)

HTML

<a href="https://tridentstack.com/cve/CVE-2026-22772"><img src="https://tridentstack.com/cve/badge/CVE-2026-22772.svg" alt="CVE-2026-22772"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2026-03-05.