CVE-2026-22772 is a medium severity SSRF vulnerability affecting sigstore fulcio, a certificate authority component used for issuing code signing certificates based on OpenID Connect identities. The vulnerability stems from the metaRegex() function's use of an unanchored regular expression to validate MetaIssuer URLs, which attackers can exploit to bypass validation checks. This allows an attacker to craft malicious requests that cause fulcio to send HTTP GET requests to arbitrary internal network services, effectively enabling blind SSRF. Because only GET requests are possible and the response content is not relayed back to the attacker, the vulnerability cannot be used to mutate internal state or exfiltrate data directly. However, it can be leveraged to probe internal network infrastructure, identify accessible services, and potentially map internal network topology. This reconnaissance capability could aid attackers in planning further attacks against internal systems. The vulnerability affects all fulcio versions prior to 1.8.5, where the issue has been resolved by properly anchoring the regex validation. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N) indicates a network attack vector with low complexity, no privileges or user interaction required, and a confidentiality impact limited to partial information disclosure due to internal network probing. No public exploits have been reported, but the vulnerability is significant in environments where fulcio is deployed as part of the software supply chain, especially in organizations relying on code signing for software integrity and provenance.

For European organizations, the primary impact of this SSRF vulnerability lies in the potential exposure of internal network infrastructure to external attackers. Organizations using vulnerable fulcio versions in their code signing or software supply chain processes may inadvertently allow attackers to probe internal services that are otherwise inaccessible from the internet. This could lead to the discovery of sensitive internal endpoints, misconfigured services, or other vulnerabilities that could be exploited in subsequent attacks. While the vulnerability does not allow direct data exfiltration or state changes, the reconnaissance capability can facilitate lateral movement or targeted attacks within the network. Given the increasing reliance on secure software supply chains in Europe, especially in sectors like finance, healthcare, and critical infrastructure, this vulnerability could undermine trust in code signing processes and increase the risk of supply chain attacks. Additionally, organizations subject to strict data protection regulations (e.g., GDPR) must consider the risk of internal network exposure as part of their security posture. The absence of known exploits reduces immediate risk, but the medium severity rating and potential for internal network mapping warrant prompt remediation.

European organizations should take the following specific steps to mitigate this vulnerability: 1) Upgrade fulcio to version 1.8.5 or later immediately to apply the patch that fixes the unanchored regex validation. 2) Review and restrict network access controls to limit fulcio server outbound HTTP requests only to trusted and necessary destinations, minimizing the attack surface for SSRF. 3) Implement internal network segmentation and firewall rules to reduce the exposure of sensitive internal services that could be probed via SSRF. 4) Monitor fulcio server logs for unusual outbound HTTP requests that could indicate exploitation attempts. 5) Conduct internal security assessments and penetration tests focusing on SSRF and related vulnerabilities within the software supply chain infrastructure. 6) Educate development and DevOps teams about secure configuration and the risks of SSRF in certificate authorities and related components. 7) Consider deploying Web Application Firewalls (WAFs) or SSRF-specific detection mechanisms to detect and block suspicious request patterns targeting fulcio endpoints. 8) Maintain an inventory of all fulcio deployments and ensure consistent patch management across all environments to prevent vulnerable versions from persisting.