Sigstore Fulcio CVE-2026-49478
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Network-reachable and unauthenticated (PR:N) but requires a controlled/compromised trusted issuer and non-default config (AC:H); SSRF crosses trust boundary (S:C) leaking tokens (C:H) and poisoning verification keys (I:H) with no availability impact.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
Three security vulnerabilities were identified in the OIDC Discovery client:
- Blind Server-Side Request Forgery (SSRF) via Cross-Host Redirects:
Fulcio uses an HTTP client to fetch OIDC discovery metadata (/.well-known/openid-configuration). Prior to this fix, if a configured issuer returned an HTTP redirect to a different host, the client followed it by default. This allowed a compromised or malicious issuer to redirect Fulcio's discovery requests to internal-only systems, resulting in blind SSRF.
- JWKS Substitution and Cache Poisoning:
Because cross-host redirects were permitted during OIDC discovery, an attacker could manipulate the discovery flow to return a malicious jwks_uri pointing to an attacker-controlled host. When Fulcio successfully initialized the provider and cached the resulting verifier in the verifier cache, it poisoned the cache with the attacker's verification keys. The attacker could then present signatures validated against the poisoned keys.
- Kubernetes ServiceAccount Token Leakage:
Fulcio mounts an in-cluster Kubernetes ServiceAccount token to authenticate OIDC discovery requests sent to the local control plane API server (https://kubernetes.default.svc).
- Cross-Host Redirects & JWKS: The token was previously attached globally by the transport, leaking it to third-party hosts if the issuer performed a redirect or if the
jwks_uripointed to a different domain. - Wildcard MetaIssuers: If a wildcard
MetaIssuerof typekubernetes(e.g., matching external EKS/GKE endpoints) was matched, and a local Kubernetes issuer was present in the config, the transport loaded and attached the local in-cluster ServiceAccount token to outbound requests sent to the external host.
Patches
The following mitigations have been applied:
- Blocked Cross-Host Redirects: A custom callback is configured on all OIDC discovery HTTP clients to reject redirects that attempt to cross the original issuer's host boundary.
- Restricted Token Injection: Updated the transport to only attach the ServiceAccount token when the outgoing request's host exactly matches the configured host of the issuer.
- Restricted Local Token Loading: Constrained the loader to only load and wrap the transport with the local ServiceAccount token when the target issuer URL exactly matches the private local API server (
https://kubernetes.default.svc).
Workarounds
None, upgrade to v1.8.6
AnalysisAI
Server-Side Request Forgery in Sigstore Fulcio (before v1.8.6) lets a compromised or malicious OIDC issuer redirect the OIDC Discovery client's metadata fetches to attacker-chosen hosts, enabling blind SSRF against internal systems, poisoning of the verifier cache via a substituted jwks_uri so forged signatures validate, and leakage of the in-cluster Kubernetes ServiceAccount token to third-party hosts. Unauthenticated remote attackers who control a configured (or wildcard-matched) issuer can chain these into trust compromise of the certificate authority. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that Fulcio be configured to trust an issuer the attacker controls or can compromise, OR that a wildcard MetaIssuer of type kubernetes is configured alongside a local kubernetes issuer (e.g. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N, base 8.7) reflects a high-impact, scope-changing flaw that is network-reachable and unauthenticated but high-complexity, because exploitation depends on the attacker controlling an issuer that Fulcio is configured to trust or that a wildcard MetaIssuer matches - not arbitrary internet attackers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or compromises an OIDC issuer that a target Fulcio is configured to trust returns a discovery document that redirects to an attacker-controlled host advertising a malicious jwks_uri; Fulcio follows the cross-host redirect, caches the attacker's verification keys, and subsequently accepts identity tokens signed by the attacker, allowing forged identities to obtain signing certificates. In a Kubernetes deployment, the same redirect or a wildcard MetaIssuer match causes Fulcio to attach its in-cluster ServiceAccount token to the outbound request, leaking it to the attacker's host. … |
| Remediation | Vendor-released patch: upgrade to Fulcio v1.8.6, which blocks cross-host redirects on all OIDC discovery HTTP clients, attaches the ServiceAccount token only when the request host exactly matches the configured issuer host, and loads the local in-cluster token only when the target exactly equals https://kubernetes.default.svc. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Sigstore Fulcio deployments and document exact versions in use. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-f5mr-q85p-6hh6