Listen to this Post
How CVE-2026-49478 Works
Fulcio is a certificate authority that issues code-signing certificates based on OpenID Connect (OIDC) identities. To validate these identities, it acts as an OIDC Discovery client, fetching metadata from a configured issuer’s `/.well-known/openid-configuration` endpoint. CVE-2026-49478 is a composite of three critical vulnerabilities that arise from how Fulcio handles this discovery process, primarily due to the unsafe default behavior of following cross-host HTTP redirects.
The first vulnerability is a Blind Server-Side Request Forgery (SSRF). Prior to the fix, if a configured issuer returned an HTTP redirect to a different host, Fulcio’s HTTP client would follow it without question. This allowed a malicious or compromised issuer to redirect Fulcio’s internal discovery requests to arbitrary internal systems, such as cloud metadata services (e.g., 169.254.169.254) or internal Kubernetes APIs. This is a “blind” SSRF because the response from the internal service is not returned to the attacker, but it can still be used for network probing and internal service discovery.
The second vulnerability is JWKS Substitution and Cache Poisoning. Because cross-host redirects were permitted, an attacker could control the entire discovery flow. By returning a malicious discovery document with a `jwks_uri` pointing to an attacker-controlled host, they could poison Fulcio’s verifier cache. When Fulcio initializes the provider, it caches the resulting verifier (which contains the JSON Web Key Set, or JWKS). By poisoning this cache with attacker-controlled verification keys, the attacker could then present fraudulent signatures that Fulcio would incorrectly validate as genuine.
The third vulnerability is Kubernetes ServiceAccount Token Leakage. Fulcio mounts an in-cluster Kubernetes ServiceAccount token to authenticate requests to the local API server (https://kubernetes.default.svc`). The transport that attaches this token did so globally. This meant that if an OIDC discovery request was redirected to a third-party host, or if the `jwks_uri` pointed to an external domain, the in-cluster token would be leaked to that external host. Furthermore, if a wildcard `MetaIssuer` of type `kubernetes` (e.g., matching external EKS/GKE endpoints) was configured alongside a local Kubernetes issuer, the transport would load and attach the local in-cluster token to outbound requests sent to the external host, leading to a significant token leak.http://169.254.169.254/latest/meta-data/`).
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: ....... Sigstore Fulcio
Version: ........ 1.8.5 and earlier
Vulnerability :...... CVE-2026-49478 (SSRF, Cache Poisoning, Token Leak)
Severity: ....... Critical
date: .......... June 30, 2026
<h2 style="color: blue;">Prediction: ...... Upgrade to v1.8.6</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
The core of these vulnerabilities lies in the unsafe handling of external input and the overly permissive default behavior of the HTTP client. The lack of restrictions on cross-host redirects is the primary enabler for the SSRF and cache poisoning attacks. Furthermore, the global attachment of the highly sensitive Kubernetes ServiceAccount token represents a significant violation of the principle of least privilege.
<h2 style="color: blue;">Analytics:</h2>
- Attack Vector: Network-based, remote exploitation.
- Complexity: Low. An attacker only needs to control a malicious OIDC issuer or be able to redirect a legitimate one.
- Privileges Required: None.
- User Interaction: None.
- Scope: The impact is limited to the Fulcio service itself, but the consequences (token leakage, signature forgery) can be far-reaching.
<h2 style="color: blue;">Exploit:</h2>
An attacker could exploit this vulnerability by following these steps:
1. Establish a Malicious Endpoint: Set up a server to act as a malicious OIDC issuer.
2. Trigger Fulcio Discovery: Cause Fulcio to initiate OIDC discovery against the attacker's endpoint. This could be done by submitting a JWT with a crafted `iss` claim that matches a vulnerable `MetaIssuer` pattern.
3. Redirect to Internal Service: The malicious endpoint responds to the discovery request with an HTTP 302 redirect to an internal service, such as the cloud metadata service (
4. Poison the Cache (Optional): The malicious endpoint could also return a valid-looking OIDC discovery document containing a `jwks_uri` pointing to the attacker’s own key server. Fulcio would then fetch and cache the attacker’s keys, allowing the attacker to sign arbitrary artifacts that Fulcio would consider valid.
5. Leak the Token: If the attacker’s endpoint is external, and a local Kubernetes issuer is configured, the globally-attached ServiceAccount token would be sent in the request to the attacker’s server, exposing it.
Protection:
The primary and only recommended protection is to upgrade to Fulcio version v1.8.6 or later. This version implements several critical mitigations:
– Blocked Cross-Host Redirects: A custom callback on the HTTP client rejects any redirect that crosses the original issuer’s host boundary.
– Restricted Token Injection: The transport is updated to only attach the ServiceAccount token when the outgoing request’s host exactly matches the configured host of the issuer.
– Restricted Local Token Loading: The loader only loads and wraps the transport with the local ServiceAccount token when the target issuer URL exactly matches `https://kubernetes.default.svc`.
Impact:
The successful exploitation of these vulnerabilities can have severe consequences:
– Information Disclosure: Leakage of the in-cluster Kubernetes ServiceAccount token. This token could grant an attacker significant privileges within the Kubernetes cluster, potentially leading to cluster compromise.
– Integrity Violation: Cache poisoning allows an attacker to bypass Fulcio’s signature verification. This means they could sign malicious code or artifacts that would be incorrectly trusted by systems relying on Fulcio for validation.
– Network Probing: The blind SSRF can be used to map out internal network topology and identify vulnerable internal services.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

